Splunk® App for Unix and Linux

Install and Use the Splunk App for Unix and Linux

Download manual as PDF

Download topic as PDF

Install the Splunk App for Unix and Linux in a distributed Splunk environment

The following table shows best-practice locations in your Splunk App for Unix and Linux deployment where you should install the Splunk App and Add-on for Unix and Linux. To learn more about installing apps and add-ons in a distributed Splunk Enterprise environment, see Where to install Splunk add-ons in Splunk Supported Add-ons.

Splunk App and Add-on for Unix and Linux Installation Locations:

Component Search Head / Search Head Cluster Indexer Forwarder Deployment Server
App: splunk_app_for_nix X
Add-on: Splunk_TA_nix X X X X

In a distributed environment, Splunk indexers and search heads comprise a central Splunk App for Unix and Linux instance. The central instance indexes *nix data that universal forwarders, installed on *nix hosts, send to it. The distributed environment can comprise both search head and indexer clusters. Log into the central instance to use the app.


Steps to building a Splunk App for Unix and Linux deployment

The following installation instructions are generic. You might need to make additional adjustments and configuration changes based on your specific network topology. A deployment server can help ease configuration of a large number of clients in a distributed environment.

  1. Install indexers to store the *nix data.
  2. Configure these indexers as receivers.
  3. On each *nix host that you want data from, install a universal forwarder.
  4. Configure the universal forwarders to send data to the receiving indexers.
  5. Install a search head or a search head cluster.
  6. Configure the search head or search head cluster to search the indexers you set up.
  7. Install the Splunk Add-on for Unix and Linux on the search head or search head cluster.
  8. Install the Splunk App for Unix and Linux on the search head or search head cluster.
  9. Log into the search head or a search head cluster member and open the Splunk App for Unix and Linux.
  10. Configure the Splunk App for Unix and Linux.

Install the Splunk Add-on for Unix and Linux on an indexer

To build your distributed Splunk App for Unix and Linux deployment, first install Splunk Enterprise and the Splunk Add-on for Unix and Linux onto the hosts that you want to index *nix data:

  1. Identify the hosts that will be part of the central Splunk App for Unix and Linux instance. These hosts store incoming *nix data from *nix servers.
  2. Install Splunk Enterprise onto each of the indexers.
  3. Configure each indexer to receive data from forwarders.
  4. Follow the instructions at Install the Splunk Add-on for Unix and Linux to place the Splunk Add-on for Unix and Linux onto each indexer.
  5. If the indexer is also a *nix host and you want to collect *nix data from it, enable the data and scripted inputs inside the Splunk_TA_nix add-on on the host.
  6. Restart Splunk Enterprise on each host to complete the add-on installation.

Install the Splunk App for Unix and Linux on a search head

After you install the Splunk App for Unix and Linux on your indexers, you must configure and install the app onto search heads which search the indexers. Once you have installed the app onto search heads, you can then log into the search heads and view the incoming *nix data.

If you have a search head cluster, follow the instructions at "Install the Splunk App for Unix and Linux on a search head cluster" later in this topic.

To install the Splunk App for Unix and Linux on a search head:

  1. Identify the hosts that will act as search heads in your Splunk App for Unix and Linux deployment.
  2. Install Splunk Enterprise onto each of these computers, if it is not already installed.
  3. On each host, configure Splunk Enterprise to search across all of the indexers in the deployment that will store *nix data.
  4. Follow the instructions in "Install the Splunk App for Unix and Linux on a single server" to place the Splunk App for Unix and Linux components on each search head.
  5. Restart Splunk Enterprise to complete the app installation.

Install the Splunk App for Unix and Linux on a search head cluster

If you have a search head cluster, you can install the Splunk App for Unix and Linux on that cluster.

  1. If you have not already, configure the search head cluster, as described in Deploy a search head cluster in the Distributed Search manual.
  2. Extract the Splunk Add-on for Unix and Linux package into $SPLUNK_HOME/etc/apps on the search head cluster deployer.
  3. Extract the Splunk App for Unix and Linux package into $SPLUNK_HOME/etc/apps on the search head cluster deployer.
  4. Restart the deployer.
  5. On the deployer, log into Splunk Enterprise.
  6. Open the Splunk App for Unix and Linux.
  7. Configure the app.
  8. From a shell prompt on the deployer, copy the app, add-on, and configurations to the search head cluster apps directory:
    cp -pr $SPLUNK_HOME/etc/apps/Splunk_TA_nix $SPLUNK_HOME/etc/apps/splunk_app_for_nix $SPLUNK_HOME/etc/shcluster/apps
    
  9. From a command or shell prompt on the deployer, push the app, add-on, and configurations to the search head cluster members:
    splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
    

    The -target specifies the URI and management port of one of the search head cluster members. For example, if one of the members is splunk2.mycompany.com, you would specify https://splunk2.mycompany.com:8089.
  10. The deployer displays the following message:
    Warning: Depending on the configuration changes being pushed, this command
    might initiate a rolling-restart of the cluster members. Please refer to the
    documentation for the details.  Do you wish to continue? [y/n]:
    
    Proceed by responding to the message with y.
  11. Wait for the deployer to send the configuration bundle to the search head cluster members.

Install the Splunk Add-on for Unix and Linux on a forwarder

Once you install the Splunk App for Unix and Linux on the indexers and search heads in the central Splunk App for Unix and Linux instance, you must then install the Splunk Add-on for Unix and Linux onto the *nix hosts that you want *nix data.

Install universal forwarders on your hosts, and then install the add-on on the universal forwarders. The forwarders then send *nix data to your indexers. Complete the following steps to install the Splunk Add-on for Unix and Linux on a universal forwarder:

  1. Identify the hosts from which you want to collect *nix data.
  2. Install a Splunk universal forwarder on these hosts.
  3. Configure the forwarder to send data to the indexers in the central Splunk App for Unix and Linux instance.
  4. Follow the instructions in Install the Splunk Add-on for Unix and Linux to place the Splunk Add-on for Unix and Linux into each universal forwarder.
  5. Enable the data and scripted inputs within the add-on.
  6. Restart the universal forwarder to complete the add-on installation.

Use a deployment server to deploy the Splunk Add-on for Unix and Linux

These instructions provide guidance on the use of a deployment server to distribute the Splunk Add-on for Unix and Linux onto *nix servers with universal forwarders installed on them.

You might need to make additional changes to match your specific environment.

To learn more about how to use deployment server, see Updating Splunk Enterprise Instances Manual for Splunk Enterprise version 6 and later Distributed Deployment manual for Splunk Enterprise version 5 and earlier.

Set up the deployment server

  1. Install Splunk Enterprise, or designate an existing full instance for use as a deployment server, if you do not already have one in your environment.
  2. Set up the deployment server on a Splunk instance on which you also install the Splunk App for Unix and Linux.
    a. Define a server class for the *nix hosts that will receive the Splunk Add-on for Unix and Linux. You can use either Splunk Web or configuration files to create deployment server classes. If you are using Splunk 6.0 and later, read Define server classes in the Updating Splunk Enterprise Instances Manual to learn how to create server classes.
    b. Download the Splunk Add-on for Unix and Linux installation package and place it in an accessible location.
    c. From this location, copy the Splunk_TA_nix folder to $SPLUNK_HOME/etc/deployment-apps on the deployment server.
  3. WIthin the $SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix folder on the deployment server, enable the data and scripted inputs that you want the add-on to collect from your *nix hosts.
  4. Restart Splunk Enterprise on the deployment server to activate the changes.

Set up the deployment clients to contact the deployment server

Each *nix host with a universal forwarder installed on it is known as a deployment client. These clients fetch configuration information from the deployment server in your Splunk environment. In this case, they also fetch the Splunk Add-on for Unix and Linux and its configurations, which allows the universal forwarder to collect *nix data and subsequently send that data to the central Splunk App for Unix and Linux instance.

To set up the deployment clients, follow the instructions in the "Configure deployment clients" topic for the version of universal forwarder that you have installed on your *nix servers:

When you configure deploymentclient.conf on the clients, set the targetUri attribute to the Splunk Enterprise instance that runs the deployment server. Here is an example deploymentclient.conf file:

[deployment-client]

[target-broker:deploymentServer]
targetUri= deploymentserver.splunk.mycompany.com:8089
PREVIOUS
Install the Splunk Add-on for Unix and Linux
  NEXT
Install the Splunk App for Unix and Linux using self service installation on Splunk Cloud

This documentation applies to the following versions of Splunk® App for Unix and Linux: 5.2.5


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters