Splunk® Supported Add-ons

Splunk Add-on for Unix and Linux

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Enable data and scripted inputs for the Splunk Add-on for Unix and Linux

After you have installed the Splunk Add-on for Unix and Linux, you must enable the data and scripted inputs within the add-on so that it collects data from your data collection nodes.

The Splunk Add-on for Unix and Linux has a configuration page which lets you enable the inputs from within Splunk Web. This page is only available on Heavy Forwarders and full instances of Splunk Enterprise. Use this option when you are collecting data from a server with a full instance of Splunk Enterprise installed.

On a Universal Forwarder, you must enable the inputs using the configuration files.

Verify that you have execute rights for the bin folder. The scripts will display permission denied in the splunkd.log if you don't. Splunk must be installed and executed as root user for this Add-on to work properly.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in this manual for more information.

Collect statistical data from metrics indexes

Versions 7.2 and later of the Splunk platform support metric index data collection.

Create a metric index for each supported source type for which you would like to collect data. The Splunk Add-on for Unix and Linux supports metric index data collection for the following source types:

  • cpu_metric
  • df_metric
  • interfaces_metric
  • iostat_metric
  • ps_metric
  • vmstat_metric

Enable the data and scripted inputs from within Splunk Web

When you configure the add-on from within Splunk Web, the configuration page has into three sections: The File and Directory Inputs section, the Scripted Metric Input section and the Scripted Event Inputs section.

  1. Log into the Splunk Enterprise instance installed on the server from which you want to collect data.
  2. Activate the Splunk Add-on for Unix and Linux. Locate the Splunk Add-on for Unix and Linux on the Apps page, and click the Set up link in the row for the Splunk Add-on for Unix and Linux.
  3. In the File and Directory Inputs section of the configuration page, click the radio buttons below Enable or Disable to enable or disable the input for the specified file or directory. You can also click the (All) link next to either Enable or Disable to enable all of the displayed inputs.
  4. In the Scripted Metric Inputs section, click the radio buttons below Enable or Disable to enable or disable the input for the specified script (as shown under Name.) You can also click the (All) link next to Enable or Disable to enable or disable all of the displayed scripted metric inputs.
  5. Set the index for a metric input by selecting the metric index from the Index selection dropdown. Metric Index is mandatory when configuring the metric input.
  6. In the Scripted Event Inputs section, click the radio buttons below Enable or Disable to enable or disable the input for the specified script (as shown under Name.) You can also click the (All) link next to Enable or Disable to enable or disable all of the displayed scripted event inputs.
  7. (Optional) Set the interval for a script by entering a positive number in the Interval text box for each script. For example, if you want the cpu.sh script to run once an hour, type in 3600 in the "Interval" text box for cpu.sh.
  8. Click Save.

Enable the data and scripted inputs with configuration files

When you configure data and scripted inputs using configuration files, copy only the input stanzas whose configurations you want to change. Do not copy the entire file, as those changes persist even after an upgrade.

  1. Create inputs.conf in the $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local directory.
  2. Open $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf for editing.
  3. Open $SPLUNK_HOME/etc/apps/Splunk_TA_nix/default/inputs.conf for editing.
  4. Copy the input stanza text that you want to enable from the $SPLUNK_HOME/etc/apps/Splunk_TA_nix/default/inputs.conf file and paste them into the $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf file.
  5. In the $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf file, enable the inputs that you want the add-on to monitor by setting the disabled attribute for each input stanza to 0.
  6. For any metric input, after enabling the metric input in the $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf file, configure an index for the enabled input by setting the index attribute for each metric input stanza to any preconfigured metric-index name.
  7. Save the $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf file.
  8. Restart the Splunk instance.

Enable data and scripted inputs with the command line

To configure inputs using the command line interface (CLI). Use the following steps:

  1. Navigate to $SPLUNK_HOME/bin/.
  2. To enable all inputs, except metric inputs, enter the following command:
    ./splunk cmd sh $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/setup.sh --enable-all
  3. To enable all inputs, including metric inputs, enter the following command:
    ./splunk cmd sh /opt/splunk/etc/apps/Splunk_TA_nix/bin/setup.sh --enable-all --metric-index <valid metric index>
  4. To list all inputs, enter the following command:
    ./splunk cmd sh $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/setup.sh --list-all
  5. To identify other commands, enter the following command:
    ./splunk cmd sh $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/setup.sh --usage OR ./splunk cmd sh $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/setup.sh --help
  6. Restart the Splunk platform.

Configuration of file monitoring input for AIX

You must monitor the following files and directories and assign corresponding sourcetypes in AIX in order to utilize CIM mappings and field extractions.

File Name sourcetype
/var/adm/auth.log or path to security logs aix_secure
/var/adm/messages or path to system logs syslog
Last modified on 22 February, 2021
PREVIOUS
Upgrade the Splunk Add-on for Unix and Linux
  NEXT
Troubleshoot the Splunk Add-on for Unix and Linux

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters