Splunk® App for Infrastructure

Install and Upgrade Splunk App for Infrastructure

Download manual as PDF

This documentation does not apply to the most recent version of InfraApp. Click here for the latest version.
Download topic as PDF

Install the Splunk App for Infrastructure in a single-instance deployment

The single-instance Splunk Enterprise deployment serves as both the search head and the indexer. Install the Splunk Add-on for Infrastructure on the same instance of Splunk Enterprise on which you install the Splunk App for Infrastructure. If you install the Splunk Add-on for AWS, also install it on the same instance.

Steps

Follow these steps to get started with the Splunk App for Infrastructure in a single-instance deployment. In addition to installing the Splunk App for Infrastructure, these steps show you how to install the Splunk Add-on for Infrastructure and Splunk Add-on for AWS, configure the receiving port for your instance, and create an HEC token.

1. Install the Splunk App for Infrastructure

Follow these steps to install the app.

  1. In Splunk Web, go to Apps > Find More Apps.
  2. Search for Splunk App for Infrastructure.
  3. Select Install and follow the prompt.
  4. Restart Splunk Enterprise.

2. Install the Splunk Add-on for Infrastructure

Follow these steps to install the Splunk Add-on for Infrastructure. When you install the add-on, it creates the em_metrics and infra_alerts indexes. For more information about the source types and components that the add-on configures, see Source types and components for the Splunk Add-on for Infrastructure.

For more information, see Splunk Add-on for Infrastructure.

  1. In Splunk Web, go to Apps > Find More Apps.
  2. Search for Splunk Add-on for Infrastructure.
  3. Select Install and follow the prompt.
  4. Restart Splunk Enterprise.

3. (Optional) Install the Splunk Add-on for AWS

If you want to collect AWS Cloudwatch data from your AWS accounts, follow these steps to install the Splunk Add-on for AWS.

For more information, see About the Splunk Add-on for Amazon Web Services.

  1. In Splunk Web, go to Apps > Find More Apps.
  2. Search for Splunk Add-on for AWS.
  3. Select Install and follow the prompt.
  4. Restart Splunk Enterprise.

4. Configure the receiving port

Enable receiving on the TCP port for logs and metrics data collection.

  1. In Splunk Web, log in as an administrator.
  2. Click Settings > Forwarding and receiving.
  3. At Configure receiving, click Add new.
  4. Specify the TCP port you want the receiver to listen on (the receiving port, also known as the listening port). The recommended port is 9997. For example, if you enter 9997, the receiver listens for connections from forwarders on port 9997. You can specify any unused port. You can use a tool like netstat to determine what ports are available on your system. Make sure the port you select is not in use by splunkweb or splunkd.
  5. Click Save. Splunk software starts listening for incoming data on the port you specified.

5. Create the HTTP Event Collector (HEC) token

To complete this step, you should already be familiar with creating an HEC token in Splunk Enterprise. For information about configuring an HEC token, see Create an Event Collector token.

For Linux and Mac OSX data collection, create the HEC input and token for collectd metric collection. For Windows and AWS data collection, skip this step.

  1. In Splunk Web, log in as an administrator.
  2. Go to Settings > Data inputs, select HTTP Event Collector, and click New Token.
  3. For Select Source, do not check Enable indexer acknowledgement.
  4. For Input Settings, these are the required settings:
    If the em_metrics source type is not available in the drop-down menu, enter the name of the source type in the filter box to select it.
    • Source type: em_metrics
    • App context: Splunk_TA_Infrastructure
    • Index: em_metrics
  5. Generate the HEC Token to send data over HEC to the Splunk Enterprise instance.
  6. Confirm the token was created and take note of the Token Value.
  7. Go to Settings > Data inputs, select HTTP Event Collector, and click Global Settings. Take note of the HTTP Port Number; you will need it later when you start adding data.

6. Configure data collection

Configure data collection for the Splunk App for Infrastructure using the Add Data window. You can collect data from Linux, Mac OS X, and Windows hosts. if you installed and configured the Splunk Add-on for AWS, you can also collect data from your AWS accounts.

When you configure data collection, view any host from which you're collecting data on the Investigate and Analysis Workspace pages in the app.

For information about configuring data collection, see How to add data to Splunk App for Infrastructure.

PREVIOUS
Deployment planning for the Splunk App for Infrastructure
  NEXT
Install the Splunk App for Infrastructure in a distributed deployment

This documentation applies to the following versions of Splunk® App for Infrastructure: 1.2.1, 1.2.2, 1.2.3


Comments

Hi!

Thank you for pointing these things out! In Step 5, we:

* Removed instructions to set the "Port" value.
* Clarified how you can select the "em_metrics" source type if it doesn't appear in the drop-down menu.

Bashby splunk, Splunker
February 21, 2019

Also, you cannot choose a port in that section, only in the global settings can you do that.

Dmaislin splunk, Splunker
February 19, 2019

I found that if you type em_metrics in the filter, then you can choose it, but it is not visible unless you do that.

Dmaislin splunk, Splunker
February 19, 2019

Step 5, after hitting next, it says to add em_metrics which is an existing source type, but you cannot select it from the options as it does not display. I verified that the source type already exists since I installed the App and Add-on from Steps 1 and 2, restarted, checked every selectable option but it is not showing up. If I try and create a new source type it errors and says it already exists.

Dmaislin splunk, Splunker
February 19, 2019

Nevermind, it was the next step. We should probably add a line to our docs for clarification.

Dmaislin splunk, Splunker
February 19, 2019

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters