Splunk® Add-on for Unix and Linux (Legacy)

Deploy and Use the Splunk Add-on for Unix and Linux

Acrobat logo Download manual as PDF


The documentation for the current version of this Add-on has moved. See the current version of the documentation for the Splunk Add-on for Unix and Linux.
This documentation does not apply to the most recent version of UnixAddOn. Click here for the latest version.
Acrobat logo Download topic as PDF

What a Splunk App for Unix and Linux deployment looks like

Overview

The Splunk Add-on for Unix and Linux can be deployed in a number of ways. The most common way is to install the add-on into universal forwarders installed on *nix hosts. This is part of a larger deployment where a "central" Splunk instance contains the Splunk App for Unix and Linux or another app such as IT Service Intelligence.

The central Splunk instance can be one or more hosts

A central Splunk instance can consist of one or more hosts. In a single indexer setup, a Splunk Add-on for Unix and Linux deployment collects data about itself. In a multiple-server configuration, you can deploy:

  • At least one indexer that collects data from itself or other *nix hosts
  • One or more search heads that search the collected data on the indexers and host the application.

You can distribute the central Splunk instance further by adding more indexers and search heads. This lets you scale the deployment for additional incoming data volume.

The Splunk Add-on for Unix and Linux can monitor many *nix hosts at once

The Splunk Add-on for Unix and Linux supports collecting data from many *nix hosts. You monitor additional servers with your Splunk App for Unix and Linux deployment by:

  • Installing universal forwarders on each *nix host you want to include in the environment.
  • Configuring the forwarders to send data to the indexers in the central Splunk instance.
  • Deploying the Splunk Add-on for Unix and Linux onto those forwarders.

You can use a deployment server to manage universal forwarder configurations and deploy the Splunk Add-on for Unix and Linux onto many *nix hosts at once. Follow the instructions on Deploy the Splunk Add-on for Unix and Linux in a distributed Splunk environment to install the add-on on all three tiers of your distributed deployment: search head, indexers, and forwarders.

Example deployment

The diagram below depicts an example Splunk App for Unix and Linux deployment.

Each *nix host on your network gets a Splunk universal forwarder. On that forwarder, you install the Splunk Add-on for Unix and Linux which collects *nix data and sends it to the indexer(s) in the central Splunk App for Unix and Linux instance.

The central Splunk App for Unix and Linux instance has at least one search head (with the Splunk App for Unix and Linux installed on it) and an indexer. The indexer indexes the *nix data (black arrows), and the search head searches the indexer for that data (green arrow). The indexer returns events to the search head (blue arrow). Users log into the search head to use the app and see the data.

Follow the instructions on Deploy the Splunk Add-on for Unix and Linux in a distributed Splunk environment to install the add-on on all three tiers of your distributed deployment: search head, indexers, and forwarders.

Unix 50 typicallayout.png

The Professional Services team can help with questions and provide assistance with large or complex layouts.

Last modified on 07 December, 2017
PREVIOUS
Other deployment considerations
  NEXT
Install the Splunk Add-on for Unix and Linux

This documentation applies to the following versions of Splunk® Add-on for Unix and Linux (Legacy): 5.2.4


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters