Install the Splunk App for Unix and Linux in a distributed Splunk environment
If you plan to install the Splunk App for Unix and Linux in a distributed Splunk environment, there are certain considerations you must take into account. You must install the app in a different way than you do when you install on a single host.
The following table shows the recommended locations in your Splunk App for Unix and Linux deployment on which you should install the individual app components.
Search Head | Indexer | Forwarder | Deploy. Serv. | |
---|---|---|---|---|
App (splunk_app_for_nix )
|
X | |||
Add-on (Splunk_TA_nix )
|
X | X | X | X |
Supporting Add-on (SA-nix )
|
X | X 1 |
1 See "Install the Splunk Supporting Add-on for Unix and Linux on indexers" later in this topic.
In a distributed Splunk App for Unix and Linux environment, Splunk indexers and search heads comprise a "central" Splunk App for Unix and Linux instance. The central instance indexes *nix data that universal forwarders installed on *nix hosts send to it. You log into the central instance to use the app.
Note:
- The following installation instructions are generic. You might need to make additional adjustments and configuration changes based on your network topology.
- A deployment server can help ease configuration of a large number of clients in a distributed environment. Consider installing a deployment server in your environment if you have not already.
Install the Splunk Add-on for Unix and Linux on an indexer
To build your distributed Splunk App for Unix and Linux deployment, first install Splunk Enterprise and the Splunk Add-on for Unix and Linux onto the hosts that you want to index *nix data:
1. Identify the hosts that will be part of the central Splunk App for Unix and Linux instance.
- These hosts store incoming *nix data from *nix servers.
2. Install full Splunk Enterprise onto each of the indexers.
3. Next, configure each indexer to receive data from forwarders.
4. Follow the instructions at "Install the Splunk Add-on for Unix and Linux" to place the Splunk Add-on for Unix and Linux onto each indexer.
5. If the indexer is also a *nix host and you want to collect *nix data from it, enable the data and scripted inputs inside the Splunk_TA_nix
add-on on the host.
6. Restart Splunk Enterprise on each host to complete the add-on installation.
Install the Splunk Supporting Add-on for Unix and Linux on an indexer
If you forward search head data to your indexers (a Splunk best practice), then you must install SA-nix
onto those indexers.
The Splunk Supporting Add-on for Unix and Linux contains saved searches that might significantly impact indexing performance. If you need to install SA-Nix
on your indexers, follow this procedure:
1. Install full Splunk Enterprise onto each host that is to be an indexer, if you have not already.
2. Configure the indexers to receive data, if you have not already.
3. Copy the SA-Nix
folder from the Splunk App for Unix and Linux installation archive to the Splunk Apps directory:
cp -r splunk_app_for_nix/install/SA-nix $SPLUNK_HOME/etc/apps
4. Within the Splunk Supporting Add-on for Unix and Linux directory, delete the savedsearches.conf
and inputs.conf
files:
# cd $SPLUNK_HOME/etc/apps/SA-nix/default # rm inputs.conf savedsearches.conf
5. Restart Splunk Enterprise to complete the add-on installation.
Install the Splunk App for Unix and Linux on a search head
After you install the Splunk App for Unix and Linux onto your indexers, you must configure and install the app onto search heads which search the indexers. Once you have installed the app onto search heads, you can then log into the search heads and view the incoming *nix data.
To install the Splunk App for Unix and Linux on a search head:
1. Identify the hosts that will act as search heads in your Splunk App for Unix and Linux deployment.
2. Install Splunk Enterprise onto each of these computers, if it is not already installed.
3. On each host, configure Splunk Enterprise to search across all of the indexers in the deployment that will store *nix data.
4. Follow the instructions in "Install the Splunk App for Unix and Linux on a single server" to place the Splunk App for Unix and Linux components onto each search head.
5. Restart Splunk Enterprise to complete the app installation.
Install the Splunk Add-on for Unix and Linux on a forwarder
Once you have installed the Splunk App for Unix and Linux onto the indexers and search heads in the central Splunk App for Unix and Linux instance, you must then install the Splunk Add-on for Unix and Linux onto the *nix hosts that you want *nix data.
Do this by installing universal forwarders onto those hosts, and then installing the add-on into the universal forwarders. The forwarders then send *nix data to the indexers in the central Splunk App for Unix and Linux instance.
To install the Splunk Add-on for Unix and Linux on a universal forwarder:
1. Identify the hosts from which you want to collect *nix data.
2. Install a Splunk universal forwarder on these hosts.
3. Configure the forwarder to send data to the indexers in the central Splunk App for Unix and Linux instance.
4. Follow the instructions in "Install the Splunk Add-on for Unix and Linux" to place the Splunk Add-on for Unix and Linux into each universal forwarder.
5. Enable the data and scripted inputs within the add-on.
6. Restart the universal forwarder to complete the add-on installation.
Use a deployment server to deploy the Splunk Add-on for Unix and Linux
These instructions provide guidance on the use of a deployment server to distribute the Splunk Add-on for Unix and Linux onto *nix servers with universal forwarders installed on them.
Note: These instructions are generic and not step-by-step. You might need to make changes to match your specific environment. You can use deployment server to distribute more than just apps to deployment clients.
To learn more about how to use deployment server, read "About deployment server" in the Distributed Deployment manual (for Splunk version 5 and earlier) or Updating Splunk Enterprise Instances Manual (for Splunk version 6 and later).
Set up the deployment server
1. Install a full instance of Splunk Enterprise or designate an existing full instance for use as a deployment server, if you do not have one in your environment.
2. Download the Splunk App for Unix and Linux installation package from Splunk Apps.
3. Set up the deployment server on this Splunk instance.
- a. Define a server class for the *nix hosts that will receive the Splunk Add-on for Unix and Linux.
Note: You can use either Splunk Web or configuration files to create deployment server classes. If you are using Splunk 6.0 and later, read "Define server classes" in the Updating Splunk Enterprise Instances Manual to learn how to create server classes in that version.
- b. Download the Splunk Add-on for Unix and Linux installation package and place it in an accessible location.
- c. From this location, copy the
Splunk_TA_nix
folder to$SPLUNK_HOME/etc/deployment-apps
on the deployment server.
4. WIthin the $SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix
folder on the deployment server, enable the data and scripted inputs that you want the add-on to collect from your *nix hosts.
5. Restart Splunk Enterprise on the deployment server to activate the changes.
Set up the deployment clients to contact the deployment server
Each *nix host with a universal forwarder installed on it is known as a deployment client. These clients fetch configuration information from the deployment server in your Splunk environment. In this case, they also fetch the Splunk Add-on for Unix and Linux and its configurations, which allows the universal forwarder to collect *nix data (and subsequently send that data to the central Splunk App for Unix and Linux instance).
To set up the deployment clients, follow the instructions in the "Configure deployment clients" topic for the version of universal forwarder that you have installed on your *nix servers:
- Configure deployment clients (version 5.0.x and earlier)
- Configure deployment clients (version 6.0.x and later)
Note: When you configure deploymentclient.conf
on the clients, set the targetUri
attribute to the Splunk Enterprise instance that runs the deployment server. Following is an example deploymentclient.conf
file. Review the "Configure deployment clients" topics referenced above for additional information:
[deployment-client] [target-broker:deploymentServer] targetUri= deploymentserver.splunk.mycompany.com:8089
Install the Splunk App for Unix and Linux | Enable data and scripted inputs |
This documentation applies to the following versions of Splunk® App for Unix and Linux (Legacy): 5.0.1, 5.0.2, 5.0.3
Feedback submitted, thanks!