Data requirements for the Content Pack for Monitoring Unix and Linux

The IT Service Intelligence (ITSI) Content Pack for Monitoring Unix and Linux requires that you install the Splunk Add-on for Unix and Linux and configure it to collect and send data to your deployment.

While configuring the Splunk Add-on for Unix and Linux, use metrics based indexes. Event indexes are also supported.

Prerequisite

First, install a universal forwarder on any host that you want to send data to your ITSI deployment. See About forwarding and receiving in the Splunk Enterprise Forwarding Data manual to learn how to install and configure universal forwarders.

Install the Splunk Add-on for Unix and Linux

Use the following table as reference to install the Splunk Add-on for Unix and Linux on your deployment:

For Linux systems, install the sysstat package to collect operating system data.

See What data the Splunk Add-on for Unix and Linux collects in the Deploy and Use Splunk Add-on for Unix and Linux manual for a reference of scripted and file inputs.

Configure the add-on to collect metrics data and send to your Splunk deployment

Bandwidth data is ingested in the events index. The Splunk Add-on for Unix and Linux doesn't provide a metrics version of that source.

1. Download the Splunk Add-on for Unix and Linux from Splunkbase.
2. From a command shell, place the add-on in the $SPLUNK_HOME/etc/apps directory.
3. Create an inputs.conf file in $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/. If this file already exists, merge the stanzas in the next step.
4. Paste the following stanzas into the configuration file to generate the KPIs for the content pack:

   
   [script://./bin/bandwidth.sh]
   disabled = false
   index = os
     
   [script://./bin/cpu_metric.sh]
   disabled = false
   interval = 60
   index = itsi_im_metrics
     
   [script://./bin/df_metric.sh]
   disabled = false
   index = itsi_im_metrics
    
   [script://./bin/iostat_metric.sh]
   disabled = false
   index = itsi_im_metrics
    
   [script://./bin/vmstat_metric.sh]
   disabled = false
   index = itsi_im_metrics
   

5. By default, all indexes are set to itsi_im_metrics. In each stanza, set it to the index you want to use.
6. Save and close the file.
7. Restart your universal forwarder. For more information, see Start the universal forwarder in the Splunk Enterprise Forwarder Manual.
8. Use the Search and Reporting app to confirm that you see incoming data from the hosts you configured.

Configure the add-on to collect event data and send it to your Splunk deployment

1. Download the Splunk Add-on for Unix and Linux from Splunkbase.
2. From a command shell, place the add-on in the $SPLUNK_HOME/etc/apps directory.
3. Create an inputs.conf file in $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/. If this file already exists, merge the stanzas in the next step.
4. Paste the following stanzas into the configuration file to generate the KPIs for the content pack:

   [script://./bin/bandwidth.sh]
   disabled = false
   index=os
     
   [script://./bin/cpu.sh]
   disabled = false
   interval = 60
   index=os
     
   [script://./bin/df.sh]
   disabled = false
   index=os
    
   [script://./bin/hardware.sh]
   disabled = false
   index=os
     
   [script://./bin/iostat.sh]
   disabled = false
   index=os
     
   [script://./bin/nfsiostat.sh]
   disabled = false
   index=os
     
   [script://./bin/ps.sh]
   disabled = false
   interval = 300
   index=os
     
   [script://./bin/version.sh]
   disabled = false
   index=os
     
   [script://./bin/vmstat.sh]
   disabled = false
   index=os
   

5. By default, all indexes are set to os. In each stanza, set it to the index you want to use.
6. Save and close the file.
7. Restart your universal forwarder. For more information, see Start the universal forwarder in the Splunk Enterprise Forwarder Manual.
8. Use the Search and Reporting app to confirm that you see incoming data from the hosts you configured.