What a Splunk App for Unix and Linux deployment looks like

Overview

The Splunk Add-on for Unix and Linux can be deployed in a number of ways. The most common way is to install the add-on into universal forwarders installed on *nix hosts. This is part of a larger deployment where a "central" Splunk instance contains the Splunk App for Unix and Linux or another app such as IT Service Intelligence.

The central Splunk instance can be one or more hosts

A central Splunk instance can consist of one or more hosts. In a single indexer setup, a Splunk Add-on for Unix and Linux deployment collects data about itself. In a multiple-server configuration, you can deploy:

• At least one indexer that collects data from itself or other *nix hosts
• One or more search heads that search the collected data on the indexers and host the application.

You can distribute the central Splunk instance further by adding more indexers and search heads. This lets you scale the deployment for additional incoming data volume.

The Splunk Add-on for Unix and Linux can monitor many *nix hosts at once

The Splunk Add-on for Unix and Linux supports collecting data from many *nix hosts. You monitor additional servers with your Splunk App for Unix and Linux deployment by:

• Installing universal forwarders on each *nix host you want to include in the environment.
• Configuring the forwarders to send data to the indexers in the central Splunk instance.
• Deploying the Splunk Add-on for Unix and Linux onto those forwarders.

You can use a deployment server to manage universal forwarder configurations and deploy the Splunk Add-on for Unix and Linux onto many *nix hosts at once. Follow the instructions on Deploy the Splunk Add-on for Unix and Linux in a distributed Splunk environment to install the add-on on all three tiers of your distributed deployment: search head, indexers, and forwarders.

Example deployment

The diagram below depicts an example Splunk App for Unix and Linux deployment.

Each *nix host on your network gets a Splunk universal forwarder. On that forwarder, you install the Splunk Add-on for Unix and Linux which collects *nix data and sends it to the indexer(s) in the central Splunk App for Unix and Linux instance.

The central Splunk App for Unix and Linux instance has at least one search head (with the Splunk App for Unix and Linux installed on it) and an indexer. The indexer indexes the *nix data (black arrows), and the search head searches the indexer for that data (green arrow). The indexer returns events to the search head (blue arrow). Users log into the search head to use the app and see the data.

Follow the instructions on Deploy the Splunk Add-on for Unix and Linux in a distributed Splunk environment to install the add-on on all three tiers of your distributed deployment: search head, indexers, and forwarders.

The Professional Services team can help with questions and provide assistance with large or complex layouts.