Splunk® App for Unix and Linux (Legacy)

Install and Use the Splunk App for Unix and Linux

On March 13, 2022, the Splunk App for Unix and Linux will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app has migrated to a content pack in Data Integrations. Learn about the Content Pack for Unix Dashboards and Reports.The Splunk Add-on for Unix and Linux remains supported.
This documentation does not apply to the most recent version of Splunk® App for Unix and Linux (Legacy). For documentation on the most recent version, go to the latest release.

Other deployment considerations

In many applications, the Splunk App for Unix and Linux suite installs on a *nix server and collects data from that server. You then use Splunk Web to browse the app's included dashboards, reports, and saved searches to gain for insight into that data.

Additional uses for the app and add-on

There are additional uses for the app and add-on:

  • You can use the add-on to collect *nix data from a number of *nix machines by installing a universal forwarder on each machine and deploying the app to those forwarders. Once the app is installed on each forwarder, you can then forward the data to a receiving indexer that is running the full app. Read "Deploy the Splunk App for Unix and Linux in a distributed Splunk environment" for additional information and instructions.
  • You can also install the add-on on an indexer to provide data inputs for another app installed on that indexer, such as the Splunk App for Enterprise Security.
  • If you install the Splunk App for Unix and Linux in a distributed environment and have configured the search heads in that environment to send data to the indexers, you might need to deploy the indexes.conf included with the Splunk Supporting Add-on for Unix and Linux component (SA-nix/default/indexes.conf) onto your indexers to make sure that the unix_summary summary index is available. Failure to do so might cause issues with alerts for the app, as alerts use this special index.

Configure the Splunk App for Unix and Linux on multiple machines

The app has the ability to display data from many hosts. Following is a list of steps to take to get that data:

1. Install the Splunk App for Unix and Linux on a central Splunk instance.

2. Configure the central Splunk instance to be a receiving indexer.

3. On each *nix machine from which you want to get *nix data, install a universal forwarder.

4. Configure each universal forwarder to forward data to the central Splunk receiver.

5. Install the Splunk Add-on for Unix and Linux on each universal forwarder.

6. Configure inputs.conf on each universal forwarder to enable the *nix data inputs.

Note: A deployment server eases management of this and other forwarder configuration files. Consider installing one in your environment if you have not already. The Splunk App for Unix and Linux installation package allows for direct installation into a deployment server for distribution of add-on components to universal forwarders.

7. On the central Splunk instance, open the Splunk App for Unix and Linux and confirm that you are receiving data from the *nix servers that have universal forwarders and the Splunk App for Unix and Linux installed on them.

search index=os

Last modified on 11 October, 2018
What data the Splunk App and Splunk Add-on for Unix and Linux collect   What a Splunk App for Unix and Linux deployment looks like

This documentation applies to the following versions of Splunk® App for Unix and Linux (Legacy): 5.2.3, 5.2.4


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters