Splunk® Add-on for Unix and Linux (Legacy)

Deploy and Use the Splunk Add-on for Unix and Linux

The documentation for the current version of this Add-on has moved. See the current version of the documentation for the Splunk Add-on for Unix and Linux.

Deploy the Splunk Add-on for Unix and Linux in a distributed Splunk environment

If you plan to install the Splunk Add-on for Unix and Linux in a distributed Splunk environment, you must do so differently than you would if you install the add-on on a single host.

The following table shows the recommended locations in your Splunk App for Unix and Linux deployment on which you should install the individual app components.

Recommended Splunk App for Unix and Linux Component Installation Locations

Search Head Indexer Forwarder Deploy. Serv.
App (splunk_app_for_nix) X
Add-on (Splunk_TA_nix) X X X X

In a distributed Splunk App for Unix and Linux environment, indexers and search heads comprise a "central" Splunk App for Unix and Linux instance. The distributed environment indexes *nix data that comes from universal forwarders with the Splunk Add-on for Unix and Linux installed.

Note:

  • The following installation instructions are generic. You might need to make additional adjustments and configuration changes based on your specific network topology.
  • A deployment server can help ease configuration of a large number of clients in a distributed environment. Consider installing a deployment server in your environment if you have not already.
  • See forward search head data to your indexers in the Distributed Search Manual for additional information on forwarding search head data.

1. Install the Splunk Add-on for Unix and Linux on an indexer

To build your distributed Splunk App for Unix and Linux deployment, first install Splunk Enterprise and the Splunk Add-on for Unix and Linux onto the hosts that you want to index *nix data:

  1. Identify the hosts that will be part of the central Splunk Add-on for Unix and Linux instance. These hosts store incoming *nix data from *nix hosts.
  2. Install full Splunk Enterprise onto each of the indexers.
  3. Configure each indexer to receive data from forwarders.
  4. Follow the procedure at Install the Splunk Add-on for Unix and Linux to place the Splunk Add-on for Unix and Linux onto each indexer.
  5. If the indexer is also a *nix host and you want to collect *nix data from it, complete the procedure at Enable the data and scripted inputs within the Splunk_TA_nix add-on on the host.
  6. Restart Splunk Enterprise on each host to complete the add-on installation.

2. Install the Splunk Add-on for Unix and Linux on a search head

After you install the Splunk Add-on for Unix and Linux onto your indexers, configure and install the app onto search heads which search the indexers. Once you have installed the app onto search heads, you can then log into the search heads and view the incoming *nix data.

To install the Splunk Add-on for Unix and Linux on a search head:

  1. Identify the hosts that will act as search heads in your Splunk Add-on for Unix and Linux deployment.
  2. Install Splunk Enterprise onto each of these hosts, if it is not already installed.
  3. On each host, configure Splunk Enterprise to search across all of the indexers in the deployment that will store *nix data.
  4. Complete the procedure in Install the Splunk App for Unix and Linux on a single host to place the Splunk App for Unix and Linux components onto each search head.
  5. Restart Splunk Enterprise to complete the app installation.

3. Install the Splunk Add-on for Unix and Linux on a forwarder

After you have installed the Splunk App for Unix and Linux onto the indexers and search heads in the central Splunk App for Unix and Linux instance, install the Splunk Add-on for Unix and Linux onto the *nix hosts that you want *nix data.

Do this by installing universal forwarders onto those hosts, and then installing the add-on into the universal forwarders. The forwarders then send *nix data to the indexers in the central Splunk App for Unix and Linux instance.

  1. Identify the hosts from which you want to collect *nix data.
  2. Install a Splunk universal forwarder on these hosts.
  3. Configure the forwarder to send data to the indexers in the central Splunk App for Unix and Linux instance.
  4. Complete the procedure in Install the Splunk Add-on for Unix and Linux to place the Splunk Add-on for Unix and Linux into each universal forwarder.
  5. Complete the procedure in Enable the data and scripted inputs within the add-on.
  6. Restart the universal forwarder to complete the add-on installation.

Use a deployment server to deploy the Splunk Add-on for Unix and Linux

You can use a deployment server to distribute the Splunk Add-on for Unix and Linux onto *nix hosts with universal forwarders installed on them.

These instructions are generic and not step-by-step. You might need to make changes to match your specific environment.

To learn more about how to use deployment server, see "About deployment server" in the Distributed Deployment manual (for Splunk Enterprise version 5 and earlier) or Updating Splunk Enterprise Instances Manual (for Splunk Enterprise version 6 and later).

Set up the deployment server

  1. Install a full instance of Splunk Enterprise or designate an existing full instance for use as a deployment server, if you do not have one in your environment.
  2. Download the Splunk Add-on for Unix and Linux installation package from Splunkbase.
  3. Define a server class for the *nix hosts that will receive the Splunk Add-on for Unix and Linux.
  4. Download the Splunk Add-on for Unix and Linux installation package and place it in an accessible location.
  5. From this location, copy the Splunk_TA_nix folder to $SPLUNK_HOME/etc/deployment-apps on the deployment server.
  6. Within the $SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix folder on the deployment server, enable the data and scripted inputs that you want the add-on to collect from your *nix hosts.
  7. Restart Splunk Enterprise on the deployment server to activate the changes.

Set up the deployment clients to contact the deployment server

Each *nix host with a universal forwarder installed on it is called a deployment client. Deployment clients fetch configuration information from the deployment server in your Splunk Enterprise environment. In this case, they also fetch the Splunk Add-on for Unix and Linux and its configurations, which lets the universal forwarder collect *nix data and send that data to the central Splunk App for Unix and Linux instance).

To set up the deployment clients, see one of the following topics for the version of universal forwarder that you have installed on your *nix hosts.

When you configure deploymentclient.conf on the clients, set the targetUri attribute to the Splunk Enterprise instance that runs the deployment server. Following is an example deploymentclient.conf file. See the "Configure deployment clients" topics referenced above for additional information.

[deployment-client]

[target-broker:deploymentServer]
targetUri= deploymentserver.splunk.mycompany.com:8089
Last modified on 26 April, 2018
 

This documentation applies to the following versions of Splunk® Add-on for Unix and Linux (Legacy): 6.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters