Install the Splunk Technology Add-on for Unix and Linux
Installing the Splunk TA for Unix and Linux is similar to installing the full app. It can be installed on either an indexer or a forwarder. It can only be installed on *nix systems.
In most situations, you can install the TA by using either Splunk Web or the CLI. Important exceptions are listed below.
When installing the TA on an indexer, you can use either Splunk Web or the CLI. Once it is installed, you must manually edit configuration files in order to enable inputs contained within the add-on.
The installation process for a TA onto a universal forwarder is completely manual. You cannot use the universal forwarder's CLI, and since the forwarder does not have a user interface, you cannot use Splunk Web.
Install the TA from the command line
On Splunk indexers, you can install the TA from the command line, using Splunk's CLI interface.
Important: If you are installing the TA on a universal forwarder, you cannot use the CLI. You must install the add-on manually using your system's file management tools. Read "Install the TA on a universal forwarder" in this topic for details.
To install the Splunk TA for Unix and Linux from the command line:
1. Optionally, download the Splunk TA for Unix and Linux from Splunkbase.
Note: If you have access to the Internet and have a valid link to where the app package resides, you can use the splunk install
command to install the app directly from the internet:
# cd /opt/splunk/bin # ./splunk install http://server.com:80/files/Splunk_TA_nix.tar.gz
In this case, you can proceed directly to Step 3.
2. Run the splunk install
CLI command:
# cd /opt/splunk/bin # ./splunk install app <path>/Splunk_TA_nix.tar.gz App 'unix' is installed.
Note: You may be required to log into your Splunk instance before it installs the app.
3. Complete the steps in "Enable data and scripted inputs in the TA".
Install the TA using Splunk Web
While many TA installations are done from the command line, you can also install it using Splunk Web. The most common use case for this method of installation is to provide support for another app installed on the same indexer.
Important: Splunk Web is available for installations of the Splunk TA for Unix and Linux only on full instances of Splunk. It is not available for installations on universal forwarders. .
To install the Splunk TA for Unix and Linux using Splunk Web:
1. Download the Splunk TA for Unix and Linux from Splunkbase, if you haven't already.
Note: The file downloads with a .tar.gz
extension. Do not attempt to run this file. You will install it within Splunk.
2. Log into Splunk Web on the Splunk instance on which you want to install the app.
3. Once logged in, click the App menu from the upper right menu bar, and select Manage apps...
4. On the next page, click the Install app from file button.
5. On the Upload a file screen, click Browse...
6. Locate the downloaded Splunk_TA_nix.tar.gz
file and click Open.
7. Click Upload.
Splunk opens the Splunk_TA_nix.tar.gz
package and installs the application.
8. Click the Restart Splunk button or the link in the banner to restart Splunk.
Note: A dialog box asking you if you are sure you want to restart Splunk may appear. Click OK to restart Splunk.
9. Once Splunk restarts, click OK to return to the Splunk login page.
10. Complete the steps in "Enable data and scripted inputs in the TA".
Install the TA on a universal forwarder
When installing the TA on a universal forwarder, neither Splunk Web nor the CLI is available - you must install it manually. To install the TA on a universal forwarder:
1. Download the Splunk TA for Unix and Linux from Splunkbase, if you haven't already.
Note: The file downloads with a .tar.gz
extension. Do not attempt to run this file.
2. Unpack the Splunk_TA_nix.tar.gz
file into $SPLUNK_HOME/etc/apps
:
# tar xvzf /path/Splunk_TA_nix.tar.gz -C $SPLUNK_HOME/etc/apps Splunk_TA_nix/ Splunk_TA_nix/appserver/ Splunk_TA_nix/appserver/controllers/ ... Splunk_TA_nix/samples/sample.fs_notification Splunk_TA_nix/samples/syslog.nix #
3. Make sure that the files are owned by the splunk
user and group.
4. Complete the steps in "Enable data and scripted inputs in the TA".
Enable data and scripted inputs in the TA
Once you have installed the Splunk TA, you must manually enable the inputs that come with it, regardless of installation method.
To enable the inputs included with the TA:
1. Make a copy of $SPLUNK_HOME/etc/apps/Splunk_TA_nix/default/inputs.conf
and place it into $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local
.
Caution: Do not edit the inputs.conf file in $SPLUNK_HOME/etc/apps/Splunk_TA_nix/default.
This file gets overwritten whenever you upgrade the app.
2. Open $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf
for editing.
3. Enable the inputs that you want the add-on to monitor by setting the disabled
attribute for each input stanza to 0.
4. Save the file.
5. Restart your Splunk instance:
# ./splunk restart
Install the Splunk App for Unix and Linux | Log in and get started |
This documentation applies to the following versions of Splunk® App for Unix and Linux (Legacy): 4.5, 4.6
Feedback submitted, thanks!