Notable changes in the Splunk App for *Nix
Splunk App for *Nix
To improve and consolidate Unix performance and configuration data collection, the Splunk App for PCI Compliance contains a set of views in
SA-EndpointProtection that display performance and configuration information from Solaris, Linux, and Mac OS X systems.
In previous versions, the collection of performance and configuration data from Unix systems was handled separately from Splunk "knowledge objects" (such as
transforms.conf, and related files) that parsed and interpreted the data.
These functions are now merged into the Splunk for Unix and Linux app and distributed with the Splunk App for PCI Compliance. A version of the Splunk for Unix and Linux app is also available as a separate download from Splunkbase.
In the earlier version of the Splunk App for PCI Compliance:
- Deployment apps were distributed to forwarders to collect Unix performance and configuration data. These apps were located in
$SPLUNK_HOME/etc/deployment_apps/after installation. There were three of these apps:
- linux_base - osx_base - solaris_base
- These apps used Python-based scripted inputs to perform collection tasks, making them unsuitable for installation on universal forwarders. Universal forwarders do not contain a Python distribution.
SA-EndpointProtectionall contained "knowledge objects" used to interpret the collected data.
In this version of the Splunk App for PCI Compliance:
- A single app, Splunk for Unix and Linux (or
Splunk_TA_nix) now replicates the functionality of the older
TA-deploymentapps, which have been deprecated.
SA-EndpointProtection has not been deprecated, but knowledge pertaining to Unix data collection has been migrated into
- Shell scripts are now used to perform data collection, so that the
Splunk_TA_nixcan be installed on universal forwarders.
For example, the functions provided by the following scripts in the older deployment apps are now performed by a single script in
Splunk_TA-nix named "
linux_base/bin/linux_service.py osx_base/bin/os_service.py solaris_base/bin/solaris_service.py
- Outputs from the older
Splunk_TA_nixhave been leveraged to provide data in PCI Compliance. These outputs are:
cpu.sh - provides CPU utilization data df.sh - provides filesystem utilization data ps.sh - provides process information data vmstat.sh - provides memory utilization data
Splunk_TA_nixcontains all the knowledge objects necessary to parse data produced by the scripted inputs. A few minor modifications were made to
SA-EndpointProtectionto facilitate backwards compatibility.
Previously, scripted inputs in the deprecated deployment apps generated
sourcetype values in the following format:
<OS>:<script name or identifier>
For example, CPU data collected from a Linux, Solaris, or OS X host would have received the following
Linux:CPUTime Solaris:CPUTime OSX:CPUTime
In the new
Splunk_TA_nix script architecture, it is not possible in all cases to distinguish the source operating system (OS) at the time of
sourcetype classification. Therefore,
sourcetypes from scripted inputs in the unified
Splunk_TA_nix app have the following, less granular format:
Unix:<script name or identifier>
For example, CPU information collected from a Linux, Solaris, or OS X host using the new
Splunk_TA_nix receive the following
sourcetype classification irrespective of the source host's operating system:
Splunk administrators should be aware of this naming change, especially when writing searches that perform cross-platform comparison of data. For example, depending on the target system architecture, it might not be accurate to compare CPU utilization percentages directly.
Summary of *nix upgrade considerations
Consider these important changes as you upgrade:
- If you were using the older deployment apps (
solaris_base) and distributing these apps to forwarders, you can continue to do so without impact. The data collected by these older apps is still collected and interpreted correctly.
- To begin data collection on universal forwarders, you can now distribute
Splunk_TA_nixto your systems.
Splunk_TA_nixnow supersedes the
TA-deploymentappsapps. Both of theses older apps are disabled during installation. If custom modifications have been made to these apps, the changes need to be migrated manually into an appropriate app of your choosing.
|former script||new script (or existing script)|
* Only present on Linux
** Only present on Mac OS X and Linux
*** Might require root privileges to produce complete results on the indicated OS
Plan the upgrade
Upgrade Splunk App for PCI Compliance
This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1