Install the universal forwarder on AIX

Important: Splunk does not offer an installation package for Splunk Enterprise on AIX. There is a universal forwarder installation package for AIX versions 6.1 and 7.1.

To use Splunk Enterprise on AIX, you must download an older version of the Splunk software.

Prerequisites

The user that you install the universal forwarder as must have permission to read /dev/random and /dev/urandom or the installation will fail.

Basic installation

The AIX universal forwarder installer comes in tar file form. There is no current version of Splunk Enterprise available for AIX.

When you install with the tar file:

• Splunk Enterprise does not create the splunk user automatically. If you want Splunk Enterprise to run as a specific user, you must create the user manually.
• Confirm that the disk partition that you install into has enough space to hold the uncompressed volume of the data you want to keep indexed.
• Use GNU tar to unpack the tar files, as AIX tar can fail to unpack long file names, fail to overwrite files, among other things. If you must use the system tar, confirm the tar output for error messages. GNU tar comes as part of the AIX Toolbox for Linux Applications package (usually as /opt/freeware/bin/tar.)

To install the universal forwarder on an AIX system, expand the tar file into an appropriate directory. The default installation directory for the universal forwarder is /opt/splunkforwarder.

Ulimit Settings

The AIX defaults typically are not very generous on max file size (fsize) and resident memory size (rss). Raise these limits for the user running splunk.

• The Data Segment Size (ulimit -d) needs to be at least 1 GB (1073741824 bytes)
• The Resident Memory Size (ulimit -m) needs to be at least :
• 512MB (536870912 bytes) for a Universal Forwarder
• 1 GB (1073741824 bytes) for a Indexer
• Max No Of Open Files (ulimit -n) should be increased to at least 8192
• File Size Limit (ulimit -f) should be set to unlimited (-1)

These values are set in /etc/security/limits on AIX on a per user basis. Do NOT set these in .profile These values need to defined as 512 byte blocks

If these are not set high enough you will see errors in splunkd.log:

03-11-2015 09:34:42.631 +0100 INFO ulimit - Limit: virtual address space size: unlimited
03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: data segment size: 134217728 bytes [hard maximum: unlimited] 
03-11-2015 09:34:42.632 +0100 WARN ulimit - Splunk may not work due to small data segment limit!  <<<<<<<<<<<
03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: resident memory size: 33554432 bytes [hard maximum: 
03-11-2015 09:34:42.632 +0100 WARN ulimit - Splunk may not work due to small resident memory size limit! <<<<<<<<<<<
03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: stack size: 33554432 bytes [hard maximum: 4294967296 bytes]
03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: core file size: 0 bytes
03-11-2015 09:34:42.632 +0100 WARN ulimit - Core file generation disabled
03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: data file size: unlimited
03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: open files: 4096 files [hard maximum: unlimited]   <<<<<<<<<<<
03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: cpu time: unlimited
03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: data file size: 1073741312 bytes
03-11-2015 09:48:42.632 +0100 WARN ulimit - Splunk may not work due to low file size limit  <<<<<<<<<<

Startup options

The first time you start the universal forwarder after a new installation, you must accept the license agreement. To start the forwarder and accept the license in one step:

 $SPLUNK_HOME/bin/splunk start --accept-license

Note: There are two dashes before the accept-license option.

Next steps

To configure the forwarder to start automatically at boot time, see Enable boot-start as a non-root user.

See the Universal Forwarder manual to:

• Learn how to configure it to get and forward data.
• Learn the what commands you can issue to it.