Install the Content Pack for Unix Dashboards and Reports
Perform the following high-level steps to install the Content Pack for Unix Dashboards and Reports:
- Install and configure the Splunk Add-on for Unix and Linux.
- Install the Content Pack for Unix Dashboards and Reports.
- Create indexes.
Prerequisite
Install and configure the IT Service Intelligence (ITSI) or IT Essentials Work App in your environment. See About Splunk ITSI in the Install and Upgrade Manual, or Install IT Essentials Work in the Overview of Splunk IT Essentials Work manual.
Install and configure the Splunk Add-on for Unix and Linux
The Content Pack for Unix Dashboards and Reports relies on data collected by the Splunk Add-on for Unix and Linux.
To learn more about how to enable inputs in the Splunk Add-on for Unix and Linux, see Enable data and scripted inputs for the Splunk Add-on for Unix and Linux in the Splunk Add-on for Unix and Linux manual.
The following table shows the installation locations on the distributed environment for the content pack and the add-on:
Component | Search head /cluster | Indexer / cluster | Forwarder |
---|---|---|---|
Content Pack for Unix Dashboards and Reports | x | ||
Splunk Add-on for Unix and Linux | x | x | x |
You can automatically create entities and collect data on a recurring basis with ITSI entity integrations. The Unix and Linux entity integration uses the metrics index of itsi_im_metrics to store the metrics data collected by the Splunk Add-on for Unix and Linux. However, the content pack only works with the events index of macros os_index for events data. If you use both entity integration and the content pack, you must consider ingesting data for certain fields in both metrics and events indexes. For more information, see About Unix and Linux entity integration in ITSI, and Collect *nix data in ITSI with the Splunk Add-on for Unix and Linux
Install the Content Pack for Unix Dashboards and Reports
To install the Content Pack for Unix Dashboards and Reports, you have to install the Splunk App for Content Packs. To install the Splunk App for Content Packs in your environment, see the installation instructions for the Splunk App for Content Packs.
The content pack contents are automatically installed and start running when you install the Splunk App for Content Packs on the search head where you installed ITSI or IT Essentials Work.
After you install the Splunk App for Content Packs, follow these steps to configure the Content Pack for Unix Dashboards and Reports:
- From the ITSI or ITE Work main navigation bar, click Configuration and then Data Integrations.
- Select Content Library.
- Select the Unix Dashboards and Reports content pack.
- Review what's included in the content pack and click Proceed.
- Configure the content pack settings.
Setting Description Modify status of saved searches This configuration step will be displayed only if the content pack contains saved searches. Within this configuration, you have the flexibility to perform the following operations: - Activate all saved searches - By selecting this option, you can activate all the saved searches associated with the content pack.
- Deactivate all saved searches - By selecting this option, you can deactivate all the saved searches associated with the content pack.
- Retain current status of saved searches - This option allows you to preserve the existing status of the saved searches within the content pack.
By default, saved searches included in a content pack are in deactivated state.
- Click the Activate/Deactivate all saved searches button to modify status of saved searches of the Content Pack for Unix Dashboards and Reports.
- Click Install to confirm the installation. Once done, you can view the status of the saved searches, because the tile shows the current status of all the saved searches of the content pack.
Create indexes
If you are migrating from Splunk App for Unix and Linux to Content Pack for Unix Dashboards and Reports, you don't need need to create the indexes as the content pack is uses the same indexes as the app.
The Content Pack for Unix Dashboards and Reports requires two indexes on the search head for indexing and showing the details of the fired alerts.
Create indexes unix_summary
and firedalerts
using the following resources:
- For Splunk Enterprise, see Create events indexes.
- For Splunk Cloud Platform, see Create a Splunk Cloud Platform events index.
Release Notes for the Content Pack for Unix Dashboards and Reports | Migrate from the Splunk App for Unix and Linux to the Content Pack for Unix Dashboards and Reports |
This documentation applies to the following versions of Content Pack for Unix Dashboards and Reports: 1.1.4, 1.1.5
Feedback submitted, thanks!