Content Pack for Unix Dashboards and Reports

Content Pack for Unix Dashboards and Reports

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Install the Content Pack for Unix Dashboards and Reports

Perform the following high-level steps to install the Content Pack for Unix Dashboards and Reports:

  1. Install and configure the Splunk Add-on for Unix and Linux.
  2. Install the Content Pack for Unix Dashboards and Reports.
  3. Create indexes.

Prerequisite

Install and configure the IT Service Intelligence (ITSI) or IT Essentials Work App in your environment. See About Splunk ITSI in the Install and Upgrade Manual, or Install IT Essentials Work in the Overview of Splunk IT Essentials Work manual.

Install and configure the Splunk Add-on for Unix and Linux

The Content Pack for Unix Dashboards and Reports relies on data collected by the Splunk Add-on for Unix and Linux.

To learn more about how to enable inputs in the Splunk Add-on for Unix and Linux, see Enable data and scripted inputs for the Splunk Add-on for Unix and Linux in the Splunk Add-on for Unix and Linux manual.

The following table shows the installation locations on the distributed environment for the content pack and the add-on:

Component Search head /cluster Indexer / cluster Forwarder
Content Pack for Unix Dashboards and Reports x
Splunk Add-on for Unix and Linux x x x

You can ​​automatically create entities and collect data on a recurring basis with ITSI entity integrations. The Unix and Linux entity integration uses the metrics index of itsi_im_metrics to store the metrics data collected by the Splunk Add-on for Unix and Linux. However, the content pack only works with the events index of macros os_index for events data. If you use both entity integration and the content pack, you must consider ingesting data for certain fields in both metrics and events indexes. For more information, see About Unix and Linux entity integration in ITSI, and Collect *nix data in ITSI with the Splunk Add-on for Unix and Linux

Install the Content Pack for Unix Dashboards and Reports

To install the Content Pack for Unix Dashboards and Reports, you have to install the Splunk App for Content Packs. To install the Splunk App for Content Packs in your environment, see the installation instructions for the Splunk App for Content Packs.

The content pack contents are automatically installed and start running when you install the Splunk App for Content Packs on the search head where you installed ITSI or IT Essentials Work.

After you install the Splunk App for Content Packs, follow these steps to configure the Content Pack for Unix Dashboards and Reports:

  1. From the ITSI or ITE Work main navigation bar, click Configuration and then Data Integrations.
  2. Select Content Library.
  3. Select the Unix Dashboards and Reports content pack.
  4. Review what's included in the content pack and click Proceed.
  5. Configure the content pack settings.
    Setting Description
    Modify status of saved searches This configuration step will be displayed only if the content pack contains saved searches. Within this configuration, you have the flexibility to perform the following operations:
    • Activate all saved searches - By selecting this option, you can activate all the saved searches associated with the content pack.
    • Deactivate all saved searches - By selecting this option, you can deactivate all the saved searches associated with the content pack.
    • Retain current status of saved searches - This option allows you to preserve the existing status of the saved searches within the content pack.

    By default, saved searches included in a content pack are in deactivated state.

  6. Click the Activate/Deactivate all saved searches button to modify status of saved searches of the Content Pack for Unix Dashboards and Reports.
  7. Click Install to confirm the installation. Once done, you can view the status of the saved searches, because the tile shows the current status of all the saved searches of the content pack.

Create indexes

If you are migrating from Splunk App for Unix and Linux to Content Pack for Unix Dashboards and Reports, you don't need need to create the indexes as the content pack is uses the same indexes as the app.

The Content Pack for Unix Dashboards and Reports requires two indexes on the search head for indexing and showing the details of the fired alerts.

Create indexes unix_summary and firedalerts using the following resources:

Last modified on 29 June, 2023
PREVIOUS
Release Notes for the Content Pack for Unix Dashboards and Reports
  NEXT
Migrate from the Splunk App for Unix and Linux to the Content Pack for Unix Dashboards and Reports

This documentation applies to the following versions of Content Pack for Unix Dashboards and Reports: 1.1.4, 1.1.5


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters