Splunk® App for Infrastructure

Install and Upgrade Splunk App for Infrastructure

Download manual as PDF

Download topic as PDF

Install the Splunk App for Infrastructure in a Splunk Cloud deployment

You must be a Splunk Cloud administrator to install and manage apps in your Splunk Cloud environment. To install an app on Splunk Cloud, contact your Splunk sales representative or Splunk Support. You will need Splunk Support to complete these tasks:

  • Add the Splunk App for Infrastructure (SAI) to your Splunk Cloud environment.
  • Add the Splunk Add-on for Infrastructure to your Splunk Cloud environment.
  • Enable the HTTP Event Collector (HEC) in your Splunk Cloud environment.

If you want to collect VMware data, Splunk Support also has to complete these tasks:

  • Install VMware data collection components.
  • Confirm you have an ITSI license.

After Splunk Support installs the app and add-ons, and enables HEC for your cloud environment, configure your Splunk Cloud instance and hosts to send data to SAI.

You have to use the sc_admin user to make configuration changes.

What the cloud deployment looks like

Install a universal forwarder for metrics and logs collection on Windows systems. Install a universal forwarder for logs collection and collectd for metrics collection for *nix systems. You have to install universal forwarder credentials on every system you install a universal forwarder on. Data the universal forwarder collects is sent to the indexing tier in the cloud environment.

You must install collectd on *nix systems for metrics collection. Collectd sends data to an HEC in the indexing tier in the cloud environment.

If you plan to send VMware data to SAI, you have to deploy a Data Collection Node (DCN) and Data Collection Scheduler (DCS). For more information, see Install VMware data collection add-ons and dependencies.

If you plan to send AWS data to SAI, you have to deploy a heavy forwarder on a Windows or Linux system and install the Splunk Add-on for AWS, the Splunk Add-on for Infrastructure, and the universal forwarder credentials on it. To configure the heavy forwarder to send AWS data to SAI in the cloud environment, also install SAI on it.

This diagram describes a cloud environment that is ingesting data from a Windows system, a Mac system, a Linux system, and a heavy forwarder for AWS data collection.

This image describes a deployment with a Data Collection Node, a Data Collection Scheduler, a heavy forwarder, a Windows system, a Mac system, and a Linux system sending data over multiple ports to a Splunk Cloud environment.

Configure your cloud deployment for SAI

Follow these steps to set up your physical and cloud environment to start sending data to SAI.

1. Add the power role to sc_admin users

To fully configure and use SAI as an sc_admin user, ensure that all capabilities are assigned to each sc_admin user that has access to the cloud environment.

For more information about assigning the power capabilities to the sc_admin user, see sc_admin role permissions.

2. Install and configure the data collection agents on each applicable system

Do not run the easy install script or manually install data collection agents on a heavy forwarder that sends AWS data to SAI.

Use the easy install script to configure the data collection agents on each system that sends data to the cloud environment. For Windows systems, the easy install script installs and configures a universal forwarder. For *nix systems, the easy install script installs and configures a universal forwarder and collectd.

For information about the data collection script for each OS, see these topics in the Administer Splunk App for Infrastructure guide:

You can also manually set up the universal forwarder and collectd. For more information, see these topics in the Administer Splunk App for Infrastructure guide:

When you are configuring data collection, use these port values so that your cloud stack receives data from your systems:

Field Value
Monitoring Machine
http-inputs-<cloud_hostname>.splunkcloud.com
HEC port 443
Receiver port 9997

3. Install universal forwarder credentials

Follow this step for each system that is not already sending data to your cloud environment. Otherwise, skip this step.

You must install the universal forwarder credentials file on each system that sends data to your cloud environment. The universal forwarder credentials file contains a custom certificate for your Splunk Cloud deployment. The universal forwarder credentials are different from the credentials that you use to log into Splunk Cloud.

Before you install the universal forwarder credentials, remove outputs.conf on the universal forwarder that the script installed and configured.

If you have not already created a user for the universal forwarder, first create a user. To create a user, add credentials to a user-seed.conf file. For more information, see user-seed.conf in the Splunk Enterprise Admin Manual. If you modify a conf file, be sure to restart splunkd so your changes take effect.

By default, you must be the root user to make changes to the universal forwarder directory.

  1. Remove the existing outputs.conf file on the universal forwarder. Here are the default locations for each operating system:
    • Default *nix location: $SPLUNK_HOME/etc/apps/splunk_app_infra_uf_config/local/outputs.conf
    • Default Windows location: $SPLUNK_HOME\etc\apps\SplunkUniversalForwarder\local\outputs.conf
  2. Log in to your Splunk Cloud homepage.
  3. In the left sidebar, click Universal Forwarder.
  4. Click Download Universal Forwarder Credentials to download the splunkclouduf.spl file.
  5. From a command-line interface, go to the $SPLUNK_HOME/bin directory for your universal forwarder.
  6. Run the following command:

      ./splunk install app <full_path_to_splunkclouduf.spl> -auth <username>:<password>
      where <username>:<password> are the login credentials for an existing account on the universal forwarder.

  7. Restart the universal forwarder:

      ./splunk restart

4. Set up AWS data collection

When deploying a heavy forwarder to collect AWS data for SAI, you have to set up only forwarding on it. You do not have to set up receiving.

  1. If you plan to collect AWS data, install apps and add-ons on a heavy forwarder:
    1. Splunk App for Infrastructure
    2. Splunk Add-on for Infrastructure
    3. Splunk Add-on for AWS version 5.0.0
    4. universal forwarder credentials
  2. Configure AWS data collection. For information, see Configure AWS data collection for Splunk App for Infrastructure.

For information about installing apps and add-ons, see Where to get more apps and add-ons in the Splunk Enterprise Admin Manual.

For information about deploying a heavy forwarder, see Deploy a heavy forwarder in the Splunk Enterprise Forwarding Data guide.

4. Set up VMware data collection

To collect VMware data collection, you have to install and configure a Data Collection Node (DCN) and Data Collection Scheduler (DCS) outside of Splunk Cloud. To set up a DCN and DCS, see these topics:

VMware data collection with Splunk Cloud requires that you configure a universal forwarder with universal forwarder credentials between the DCN and the Splunk Cloud indexer endpoint. Configure the DCN to forward data to the universal forwarder. The universal forwarder will then send data from the DCN to Splunk Cloud with the proper credentials. For more information, see Install universal forwarder credentials.

You can install the universal forwarder on the system that's running the DCN. For steps about deploying a universal forwarder, see Install a *nix universal forwarder in the Splunk Universal Forwarder Forwarder Manual.

For information about installing VMware data collection components, see Install VMware data collection add-ons and dependencies.

After you install the data collection components, set up VMware data collection. For more information, see Collect VMware vCenter Server metrics with Splunk App for Infrastructure in the Administer Splunk App for Infrastructure guide.

Last modified on 18 March, 2020
PREVIOUS
Install the Splunk App for Infrastructure in a distributed deployment
  NEXT
Upgrade to a new version of Splunk App for Infrastructure

This documentation applies to the following versions of Splunk® App for Infrastructure: 2.0.0, 2.0.1, 2.0.2, 2.0.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters