Splunk® Add-on for Unix and Linux

Deploy and Use the Splunk Add-on for Unix and Linux

Download manual as PDF

Download topic as PDF

Enable data and scripted inputs for the Splunk Add-on for Unix and Linux

After you have installed the Splunk Add-on for Unix and Linux, you must enable the data and scripted inputs within the add-on so that it collects data from your data collection nodes.

The Splunk Add-on for Unix and Linux has a configuration page which lets you enable the inputs from within Splunk Web. This page is only available on full instances of Splunk Enterprise. Use this option when you are collecting data from a server with a full instance of Splunk Enterprise installed.

On a Universal Forwarder, enable the inputs from the command line or using the configuration files.

Enable the data and scripted inputs from within Splunk Web

When you configure the add-on from within Splunk Web, the configuration page has into two sections: The File and Directory Inputs section and the Scripted Inputs section.

  1. Log into the Splunk Enterprise instance installed on the server from which you want to collect data.
  2. Activate the Splunk Add-on for Unix and Linux. For Splunk Enterprise version 6.x and later, locate the Splunk Add-on for Unix and Linux on the Apps page, and click the "Set up" link in the row for the Splunk Add-on for Unix and Linux. For version 5.x and earlier, click the App menu item in the upper right corner, then select Splunk Add-on for *Nix in the drop-down list.
  3. In the "File and Directory Inputs" section of the configuration page, click the radio buttons underneath Enable or Disable to enable or disable the input for the specified file or directory. You can also click the (All) link next to either "Enable" or "Disable" to enable all of the displayed inputs.
  4. In the "Scripted Inputs" section, click the radio buttons underneath "Enable" or "Disable" to enable or disable the input for the specified script (as shown under "Name".) You can also click the "(All)" link next to "Enable" or "Disable" to enable or disable all of the displayed scripted inputs.
  5. (Optional) Set the interval for a script by entering a positive number in the Interval text box for each script. For example, if you want the cpu.sh script to run once an hour, type in 3600 in the "Interval" text box for cpu.sh.
  6. Click Save.

Enable the data and scripted inputs from the command line

  1. From a shell prompt, run the setup.sh command:
$SPLUNK_HOME/bin/splunk cmd $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/setup.sh

setup.sh command line syntax and arguments

setup.sh has the following arguments:

       (no argument)   menu-based setup
       --auth          credentials (user:pass) for specified command
       --clone-all     clone input configuration from local to remote
       --disable-all   disable all inputs
       --disable-input input to be disabled
       --enable-all    enable all inputs
       --enable-input  input to be enabled
       --help          print usage and exit
       --install-app   install the app at the given location
       --interval      set input to given interval
       --list-all      show details all inputs
       --list-input    show details for input
       --usage, --?    print usage and exit
       --uri           remote uri (https://host:port) to use

setup.sh examples

To set cpu.sh interval to 120 seconds (with no auth prompt):

           setup.sh --interval cpu.sh 120

To disable all local inputs (with auth prompt):

           setup.sh --disable-all --auth admin:changeme1

To show input status on remote host foobar:

           setup.sh --list-all --uri https://foobar:8089

To update the unix app from your-server on the remote host foobar:

           setup.sh --install-app https://your-server/unix.spl --uri https://foobar:8089

To copy the local input configuration to the remote host foobar:

           setup.sh --clone-all --uri https://foobar:8089

Enable the data and scripted inputs with configuration files

When you configure data and scripted inputs using configuration files, copy only the input stanzas whose configurations you want to change. Do not copy the entire file, as those changes persist even after an upgrade.

  1. Create inputs.conf in the $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local directory.
  2. Open $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf for editing.
  3. Open $SPLUNK_HOME/etc/apps/Splunk_TA_nix/default/inputs.conf for editing.
  4. Copy the input stanza text that you want to enable from the $SPLUNK_HOME/etc/apps/Splunk_TA_nix/default/inputs.conf file and paste them into the $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf file.
  5. In the $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf file, enable the inputs that you want the add-on to monitor by setting the disabled attribute for each input stanza to 0.
  6. Save the $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf file.
  7. Restart the Splunk enterprise instance.
PREVIOUS
Deploy the Splunk Add-on for Unix and Linux in a distributed Splunk environment
  NEXT
Use the Splunk Add-on for Unix and Linux

This documentation applies to the following versions of Splunk® Add-on for Unix and Linux: 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters