Splunk® IT Essentials Work

Entity Integrations Manual

This documentation does not apply to the most recent version of Splunk® IT Essentials Work. For documentation on the most recent version, go to the latest release.

Manually configure an OSX integration

Collect data from OSX entities by installing and customizing the file below.

Steps

1. Download and install OSX

Download the following file:

After downloading, manually customize the following install script using information from Step 2:

Installation script

Customize the following installation script.

export SPLUNK_URL="$SPLUNK_URL" && \
export HEC_PORT="$HEC_PORT" && \
export RECEIVER_PORT="$RECEIVER_PORT" && \
export INSTALL_LOCATION="$INSTALL_LOCATION" && \
export HEC_TOKEN="$HEC_TOKEN" && \
export ITSI_ENABLE_DOCKER=$ITSI_ENABLE_DOCKER && \
export ITSI_DOCKER_SOCK="$ITSI_DOCKER_SOCK" && \
export DIMENSIONS=$DIMENSIONS && \
export METRIC_TYPES=$METRIC_TYPES && \
export METRIC_OPTS=$METRIC_OPTS && \
export LOG_SOURCES="$LOG_SOURCES" && \
wget -o- --no-check-certificate https://docs.splunk.com/images/8/8b/OSX_Agent.zip && \
unzip OSX_Agent.zip && \
cd osx-agent && \
bash install_uf.sh && \
bash install_agent.sh && \
cd .. && \
rm -rf osx-agent

2. Specify configuration options

The following table describes the variables to configure for the installation script:

Variable Description
$SPLUNK_URL Specify the FQDN or IP address of the Splunk instance you want to send data to. Do not enter a hostname.
$HEC_PORT Specify the HEC port of the Splunk instance you want to send metrics data to. The default port is 8088.
$RECEIVER_PORT Specify the receiver port of the Splunk instance you want to send logs data to. The default port is 9997.
$INSTALL_LOCATION Specify the file location to install the Splunk Universal Forwarder to. The default location is /Applications/.
$HEC_TOKEN Specify the HEC token you configured to send data to the Splunk instance. This should be a HEC token with access to the metrics index (default: itsi_im_metrics). The HEC token's sourcetype must be itsi_im_metrics. Global HEC settings have to have tokens enabled in $SPLUNKWEB/en-US/manager/itsi/http-eventcollector.
$ITSI_ENABLE_DOCKER If this is true, then the Splunk Universal Forwarder will monitor Docker containers you are running on the host. Leave this empty (``) if this behavior is undesired.
$ITSI_DOCKER_SOCK Specify the location of docker.sock, the Docker socket. The default location is /var/run/docker.sock.
$DIMENSIONS Specify the dimensions to associate with this entity. This is a comma-separated value where each individual entry is a dimension key (without quotes) plus ":" (without quotes) plus a dimension value (with quotes). An example value is owner:"me",version:"3",location:"USA". Leave blank if this behavior is undesired.
$METRIC_TYPES Specify the types of metrics to collect with collectd. This is a comma-separated value where each individual entry is a collectd plugin. The default value is cpu,uptime,df,disk,interface,load,memory.
$METRIC_OPTS If this is cpu.by_cpu, then collectd will collect data for each CPU. If this is cpu.sum, then collectd will sum for all CPUs before sending data.
$LOG_SOURCES Specify the logs to collect from the instance with the Splunk Universal Forwarder. This is a comma-separated string where each individual entry is a directory plus "%" plus the sourcetype of the log. Be sure to escape dollar-signs and other reserved shell characters. The default value is "/etc/collectd/collectd.log%collectd,$SPLUNK_HOME/var/log/splunk/.log%uf,/var/log/system.log%systemlog".

Uninstall script

Use this script to reverse any changes or modifications.

export INSTALL_LOCATION="$INSTALL_LOCATION" && \
wget -o- --no-check-certificate https://docs.splunk.com/images/8/8b/OSX_Agent.zip && \
unzip OSX_Agent.zip && \
cd osx-agent && \
bash uninstall_agent.sh && \
cd .. && \
rm -rf osx-agent
Last modified on 28 April, 2023
SAI and ITSI functionalities reference   Manually configure an OpenShift integration

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters