Install the Splunk Add-on for Unix and Linux
You can install the Splunk Add-on for Unix and Linux with Splunk Web or from the command line. You can install the add-on onto any type of Splunk Enterprise or Splunk Cloud Platform instance.
- Get the Splunk Add-on for Unix and Linux by downloading it from http://splunkbase.splunk.com/app/833 or browsing to it using the app browser within Splunk Web.
- Determine where and how to install this add-on in your deployment, using the tables on this page.
- Perform any prerequisite steps before installing, if required and specified in the tables on this page.
- Complete your installation.
For add-on version 8.8.0 and up, there is a new eventtype named
nix_ta_custom_eventtype. Users can update this eventtype to include their required events. After updating the definition of this eventtype, the required events will be made available to the predefined eventtypes written in the add-on. See Define event types in Splunk Web.
For example, if you want to add a custom sourcetype
xyz to addon's eventtypes, set following value:
[nix_ta_custom_eventtype] search = sourcetype = "xyz"
If you need step-by-step instructions on how to install an add-on in your specific deployment environment, see the Installation walkthroughs section at the bottom of this page for links to installation instructions specific to a single-instance deployment, distributed deployment, or Splunk Cloud Platform.
Use the tables on this page to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise or any deployment for which you are using forwarders to get your data in. Depending on your environment, your preferences, and the requirements of the add-on, you may need to install the add-on in multiple places.
Where to install this add-on
All supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.
This table provides a reference for installing this specific add-on to a distributed deployment of the Splunk platform:
|Splunk platform instance type||Supported||Required||Comments|
|Search heads||Yes||Yes||Install this add-on to all search heads where Unix or Linux knowledge management is required. As a best practice, turn add-on visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of or in addition to your data collection node.|
|Indexers||Yes||Conditional||Not required if you use heavy forwarders to collect data. Required if you use universal forwarders to collect data.|
|Heavy forwarders||Yes||See comments||This add-on supports forwarders of any type for data collection. The host must run a supported version of *nix.|
|Universal forwarders||Yes||See comments||This add-on supports forwarders of any type for data collection. The host must run a supported version of *nix.|
Distributed deployment feature compatibility
This table describes the compatibility of this add-on with Splunk distributed deployment features:
|Distributed deployment feature||Supported||Comments|
|Search head clusters||Yes||Disable add-on visibility on search heads.|
|Indexer clusters||Yes||To get data from an indexer cluster member, install the add-on into that member.|
|Deployment server||Yes||Supported for deploying the configured add-on to multiple nodes.|
The Splunk Add-Ons manual includes an Installing add-ons guide that helps you successfully install any Splunk-supported add-on to your Splunk platform.
For a walkthrough of the installation procedure, follow the link that matches your deployment scenario:
Installation and configuration overview for the Splunk Add-on for Unix and Linux
Upgrade the Splunk Add-on for Unix and Linux
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!