Splunk® App for Unix and Linux (Legacy)

Install and Use the Splunk App for Unix and Linux

Acrobat logo Download manual as PDF


On March 13, 2022, the Splunk App for Unix and Linux will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app has migrated to a content pack in Data Integrations. Learn about the Content Pack for Unix Dashboards and Reports.The Splunk Add-on for Unix and Linux remains supported.
This documentation does not apply to the most recent version of Splunk® App for Unix and Linux (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Install the Splunk App for Unix and Linux in a distributed Splunk environment

If you plan to install the Splunk App for Unix and Linux in a distributed Splunk environment, there are certain considerations you must take into account. You must install the app in a different way than you do when you install on a single server.

The following table refers to which components of the suite you should install on the various components in your deployment.

Splunk App for Unix and Linux Component Installation Locations
Search Head Indexer Forwarder Deploy. Serv.
App (splunk_app_for_nix) X
Add-on (Splunk_TA_nix) X X X X
Supporting Add-on (SA-nix) X

In a distributed Splunk App for Unix and Linux environment, Splunk indexers and search heads comprise a "central" Splunk App for Unix and Linux instance. This central instance indexes *nix data that universal forwarders installed on *nix servers send to it. You log into the central instance to view *nix data with the app.

Important:

  • The following installation instructions are generic. You might need to make additional adjustments and configuration changes based on your specific setup.
  • A deployment server can help ease configuration of a large number of clients in a distributed environment. Consider installing a deployment server in your environment if you have not already.
  • The installation package includes a version of the Splunk Add-on for Unix and Linux which you can place into a deployment server for ease of use in distributing the add-on across *nix servers in your network.

1. Install the Splunk App for Unix and Linux on an indexer

To build your distributed Splunk App for Unix and Linux deployment, first install Splunk and the Splunk App for Unix and Linux onto the servers that you want to index *nix data:

1. Identify the indexers which will comprise your Splunk App for Unix and Linux deployment.

These servers store incoming *nix data from *nix servers.

2. Install full Splunk onto each of the indexers.

3. On each indexer, configure Splunk to receive data from forwarders.

4. Follow steps 1 through 3 of "Install the Splunk App for Unix and Linux on a single server" to place the Splunk App for Unix and Linux components onto each indexer.

Important: Do not restart Splunk yet.

5. Remove the SA-nix folder from $SPLUNK_HOME/etc/apps. This component is not required to be installed on indexers, except in specific circumstances.

6. Remove the $SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix folder from the installation. This directory is only required when you want to use a deployment server to deploy the add-on to other *nix servers that have a forwarder installed on them.

7. If the search head is a *nix server and you want the server to send *nix data, enable the data and scripted inputs within the Splunk_TA_nix add-on on the server.

8. Restart Splunk to complete the app installation.

2. Install the Splunk App for Unix and Linux on a search head

After you install the Splunk App for Unix and Linux onto your indexers, you must then configure and install the app onto search heads which search the indexers. Once you have installed the app onto search heads, you can then log into the search heads and view incoming *nix data.

To install the Splunk App for Unix and Linux on a search head:

1. Identify the servers which will act as search heads in your Splunk App for Unix and Linux deployment.

2. Install full Splunk onto each of these computers.

3. On each server, configure Splunk to search across all of the indexers in your deployment that will store *nix data.

4. Follow steps 1 through 3 of "Install the Splunk App for Unix and Linux on a single server" to place the Splunk App for Unix and Linux components onto each indexer.

Important: Do not restart Splunk yet.

5 Remove the $SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix folder from the installation. This directory is only required when you want to use a deployment server to deploy the add-on to other *nix servers that have a forwarder installed on them.

6. If the search head is a *nix server and you want the server to send *nix data, enable the data and scripted inputs within the Splunk_TA_nix add-on on the server.

7. Restart Splunk to complete the app installation.

3. Install the Splunk App for Unix and Linux on a forwarder

Once you have installed the Splunk App for Unix and Linux onto indexers and search heads, you must install the Splunk Add-on for Unix and Linux onto universal forwarders which send *nix data to the indexers in the central Splunk App for Unix and Linux instance.

To install the Splunk App for Unix and Linux on a universal forwarder:

1. Identify the systems from which you want to collect *nix data.

2. On each one of these systems, install a universal forwarder.

3. Configure the forwarder to send data to the indexers in the central Splunk App for Unix and Linux instance.

4. Follow Steps 1 through 3 of "Install the Splunk App for Unix and Linux on a single server" to place the Splunk App for Unix and Linux components onto each universal forwarder.

Important: Do not restart Splunk yet.

5. Remove the SA-nix and splunk_app_for_nix folders from $SPLUNK_HOME/etc/apps. These components are not required to be installed on forwarders.

6. Remove the $SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix folder from the installation. This directory is only required when you want to use a deployment server to deploy the add-on to other *nix servers that have a forwarder installed on them.

7. Enable the data and scripted inputs within the add-on.

8. Restart Splunk to complete the app installation.

Use a deployment server to deploy the Splunk Add-on for Unix and Linux

These instructions provide guidance on the use of a deployment server to distribute the Splunk Add-on for Unix and Linux onto *nix servers with universal forwarders installed on them.

Note: These instructions are generic and not step-by-step. You might need to make changes to match your specific environment. You can use deployment server to distribute more than just apps to deployment clients.

To learn more about how to use deployment server, read "About deployment server" in the Distributed Deployment Manual (for Splunk version 5 and earlier) or Updating Splunk Enterprise Instances Manual (for Splunk version 6 and later).

Set up the deployment server

1. Install a full instance of Splunk or designate an existing full instance for use as a deployment server, if you do not have one in your environment.

2. Download the Splunk App for Unix and Linux installation package from Splunk Apps.

3. Set up the deployment server on this Splunk instance.

a. Define a server class for the *nix servers that will receive the Splunk Add-on for Unix and Linux.

Note: You can use either Splunk Web or configuration files to create deployment server classes. If you are using Splunk 6.0 and later, read "Define server classes" in the new Updating Splunk Enterprise Instances Manual to learn how to create server classes in that version.

b. Unpack the Splunk App for Unix and Linux installation package into an accessible location.
c. From this location, copy the etc/deployment-apps/Splunk_TA_nix folder to $SPLUNK_HOME on the deployment server.

4. WIthin the $SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix folder on the deployment server, enable the data and scripted inputs that you want the add-on to collect from your *nix servers.

5. Restart Splunk on the deployment server to activate the changes.

Set up the deployment clients to contact the deployment server

Each *nix system with a universal forwarder installed on it is known as a deployment client. These clients fetch configuration information from the deployment server in your Splunk environment. In this scenario, they also fetch the Splunk Add-on for Unix and Linux and its configurations, which allows the universal forwarder to collect *nix data (and subsequently send that data to the central Splunk App for Unix and Linux instance).

To set up the deployment clients, follow the instructions in the "Configure deployment clients†" topic for the version of Splunk that you have installed on your *nix servers:

Note: When you configure deploymentclient.conf on the clients, set the targetUri attribute to the Splunk instance that runs the deployment server. Following is an example deploymentclient.conf file:

[deployment-client]

[target-broker:deploymentServer]
targetUri= deploymentserver.splunk.mycompany.com:8089

Review the "Configure deployment clients" topics referenced above for additional information.

Last modified on 07 October, 2013
PREVIOUS
Install the Splunk App for Unix and Linux
  NEXT
Enable data and scripted inputs

This documentation applies to the following versions of Splunk® App for Unix and Linux (Legacy): 5.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters