
Install the universal forwarder on AIX
Important: Splunk does not offer an installation package for Splunk Enterprise on AIX. There is a universal forwarder installation package for AIX versions 6.1 and 7.1.
To use Splunk Enterprise on AIX, you must download an older version of the Splunk software.
Prerequisites
The user that you install the universal forwarder as must have permission to read /dev/random
and /dev/urandom
or the installation will fail.
Basic installation
The AIX universal forwarder installer comes in tar file form. There is no current version of Splunk Enterprise available for AIX.
When you install with the tar file:
- Splunk Enterprise does not create the
splunk
user automatically. If you want Splunk Enterprise to run as a specific user, you must create the user manually. - Confirm that the disk partition that you install into has enough space to hold the uncompressed volume of the data you want to keep indexed.
- Use GNU
tar
to unpack the tar files, as AIXtar
can fail to unpack long file names, fail to overwrite files, among other things. If you must use the system tar, confirm thetar
output for error messages. GNUtar
comes as part of the AIX Toolbox for Linux Applications package (usually as/opt/freeware/bin/tar
.)
To install the universal forwarder on an AIX system, expand the tar file into an appropriate directory. The default installation directory for the universal forwarder is /opt/splunkforwarder
.
Ulimit Settings
The AIX defaults typically are not very generous on max file size (fsize) and resident memory size (rss). Raise these limits for the user running splunk.
- The Data Segment Size (ulimit -d) needs to be at least 1 GB (1073741824 bytes)
- The Resident Memory Size (ulimit -m) needs to be at least :
- 512MB (536870912 bytes) for a Universal Forwarder
- 1 GB (1073741824 bytes) for a Indexer
- Max No Of Open Files (ulimit -n) should be increased to at least 8192
- File Size Limit (ulimit -f) should be set to unlimited (-1)
These values are set in /etc/security/limits on AIX on a per user basis. Do NOT set these in .profile These values need to defined as 512 byte blocks
If these are not set high enough you will see errors in splunkd.log:
03-11-2015 09:34:42.631 +0100 INFO ulimit - Limit: virtual address space size: unlimited 03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: data segment size: 134217728 bytes [hard maximum: unlimited] 03-11-2015 09:34:42.632 +0100 WARN ulimit - Splunk may not work due to small data segment limit! <<<<<<<<<<< 03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: resident memory size: 33554432 bytes [hard maximum: 03-11-2015 09:34:42.632 +0100 WARN ulimit - Splunk may not work due to small resident memory size limit! <<<<<<<<<<< 03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: stack size: 33554432 bytes [hard maximum: 4294967296 bytes] 03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: core file size: 0 bytes 03-11-2015 09:34:42.632 +0100 WARN ulimit - Core file generation disabled 03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: data file size: unlimited 03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: open files: 4096 files [hard maximum: unlimited] <<<<<<<<<<< 03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: cpu time: unlimited 03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: data file size: 1073741312 bytes 03-11-2015 09:48:42.632 +0100 WARN ulimit - Splunk may not work due to low file size limit <<<<<<<<<<
Startup options
The first time you start the universal forwarder after a new installation, you must accept the license agreement. To start the forwarder and accept the license in one step:
$SPLUNK_HOME/bin/splunk start --accept-license
Note: There are two dashes before the accept-license
option.
Next steps
To configure the forwarder to start automatically at boot time, see Enable boot-start as a non-root user.
See the Universal Forwarder manual to:
- Learn how to configure it to get and forward data.
- Learn the what commands you can issue to it.
PREVIOUS Install the universal forwarder on FreeBSD |
NEXT Install the universal forwarder on HP-UX |
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10
Feedback submitted, thanks!