Other deployment considerations

In many applications, the Splunk App for Unix and Linux suite installs on a *nix server and collects data from that server. You then use Splunk Web to browse the app's included dashboards, reports, and saved searches to gain for insight into that data.

Additional uses for the app and add-on

There are additional uses for the app and add-on:

You can use the add-on to collect *nix data from a number of *nix machines by installing a universal forwarder on each machine and deploying the app to those forwarders. Once the app is installed on each forwarder, you can then forward the data to a receiving indexer that is running the full app. Read "Deploy the Splunk App for Unix and Linux in a distributed Splunk environment" for additional information and instructions.

You can install the app on a Splunk instance running on Windows. This instance can be an indexer or a search head. In this configuration, you must disable all included inputs that come with the app. Read "Search data received from a forwarder running on a different operating system" for additional details.

You can also install the add-on on an indexer to provide data inputs for another app installed on that indexer, such as the Splunk App for Enterprise Security.

If you install the Splunk App for Unix and Linux in a distributed environment and have configured the search heads in that environment to send data to the indexers, you might need to deploy the indexes.conf included with the Splunk Supporting Add-on for Unix and Linux component (SA-nix/default/indexes.conf) onto your indexers to make sure that the unix_summary summary index is available. Failure to do so might cause issues with alerts for the app, as alerts use this special index.

Related answers from Splunk Community

Other deployment considerations

Additional uses for the app and add-on

Comments

Other deployment considerations

Was this topic useful?