Install the universal forwarder on AIX
Important: Splunk does not offer an installation package for Splunk Enterprise on AIX. There is a universal forwarder installation package for AIX versions 6.1 and 7.1.
To use Splunk Enterprise on AIX, you must download an older version of the Splunk software.
The user that you install the universal forwarder as must have permission to read
/dev/urandom or the installation will fail.
The AIX universal forwarder installer comes in tar file form. There is no current version of Splunk Enterprise available for AIX.
When you install with the tar file:
- Splunk Enterprise does not create the
splunkuser automatically. If you want Splunk Enterprise to run as a specific user, you must create the user manually.
- Confirm that the disk partition that you install into has enough space to hold the uncompressed volume of the data you want to keep indexed.
- Use GNU
tarto unpack the tar files, as AIX
tarcan fail to unpack long file names, fail to overwrite files, among other things. If you must use the system tar, confirm the
taroutput for error messages. GNU
tarcomes as part of the AIX Toolbox for Linux Applications package (usually as
To install the universal forwarder on an AIX system, expand the tar file into an appropriate directory. The default installation directory for the universal forwarder is
The AIX defaults typically are not very generous on max file size (fsize) and resident memory size (rss). Raise these limits for the user running splunk.
- The Data Segment Size (ulimit -d) needs to be at least 1 GB (1073741824 bytes)
- The Resident Memory Size (ulimit -m) needs to be at least :
- 512MB (536870912 bytes) for a Universal Forwarder
- 1 GB (1073741824 bytes) for a Indexer
- Max No Of Open Files (ulimit -n) should be increased to at least 8192
- File Size Limit (ulimit -f) should be set to unlimited (-1)
These values are set in /etc/security/limits on AIX on a per user basis. Do NOT set these in .profile These values need to defined as 512 byte blocks
If these are not set high enough you will see errors in splunkd.log:
03-11-2015 09:34:42.631 +0100 INFO ulimit - Limit: virtual address space size: unlimited 03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: data segment size: 134217728 bytes [hard maximum: unlimited] 03-11-2015 09:34:42.632 +0100 WARN ulimit - Splunk may not work due to small data segment limit! <<<<<<<<<<< 03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: resident memory size: 33554432 bytes [hard maximum: 03-11-2015 09:34:42.632 +0100 WARN ulimit - Splunk may not work due to small resident memory size limit! <<<<<<<<<<< 03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: stack size: 33554432 bytes [hard maximum: 4294967296 bytes] 03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: core file size: 0 bytes 03-11-2015 09:34:42.632 +0100 WARN ulimit - Core file generation disabled 03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: data file size: unlimited 03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: open files: 4096 files [hard maximum: unlimited] <<<<<<<<<<< 03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: cpu time: unlimited 03-11-2015 09:34:42.632 +0100 INFO ulimit - Limit: data file size: 1073741312 bytes 03-11-2015 09:48:42.632 +0100 WARN ulimit - Splunk may not work due to low file size limit <<<<<<<<<<
The first time you start the universal forwarder after a new installation, you must accept the license agreement. To start the forwarder and accept the license in one step:
$SPLUNK_HOME/bin/splunk start --accept-license
Note: There are two dashes before the
To configure the forwarder to start automatically at boot time, see Enable boot-start as a non-root user.
See the Universal Forwarder manual to:
Install the universal forwarder on FreeBSD
Install the universal forwarder on HP-UX
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10