Splunk® App for Unix and Linux (Legacy)

Install and Use the Splunk App for Unix and Linux

On March 13, 2022, the Splunk App for Unix and Linux will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app has migrated to a content pack in Data Integrations. Learn about the Content Pack for Unix Dashboards and Reports.The Splunk Add-on for Unix and Linux remains supported.
This documentation does not apply to the most recent version of Splunk® App for Unix and Linux (Legacy). For documentation on the most recent version, go to the latest release.

Install the Splunk App for Unix and Linux

The installation package for the Splunk App for Unix and Linux contains dashboards, reports, alerts, lookups, and macros for use with Splunk Web.

Create an index

Download the Splunk Add-on for Unix and Linux from Splunkbase. Versions 6.0.0 and later of the Splunk Add-on for Unix and Linux do not include indexes. For the Splunk App for Unix and Linux, complete the following steps to create an index on your indexer:

  1. Make a local directory in the splunk_app_for_nix folder if you don't have one already.
  2. From the app's Default directory, copy macros.conf and savedsearches.conf into your local directory.
  3. Edit the os-index macro in macros.conf as follows: index=os.
    You can also make a custom index: index=<custom index>.
  4. Edit the fired_alerts saved search in savedsearches.conf as follows:
    | rest /services/search/jobs | search [search index=_audit action=alert_fired | fields sid] | collect index=os.
    Because the Splunk App for Unix and Linux version 6.0.0 doesn't have indexes.conf file in the build package, complete the following steps to create one:
  1. Make a local directory in the $SPLUNK_HOME/etc/apps/splunk_app_for_nix folder if you don't have one already.
  2. Create an indexes.conf file in your local folder.
  3. Put this below stanza in that indexes.conf file and save the file:
    4. [unix_summary]
homePath   = $SPLUNK_DB/unix_summary/db
coldPath   = $SPLUNK_DB/unix_summary/colddb
thawedPath = $SPLUNK_DB/unix_summary/thaweddb
  4. Restart Splunk.

The paths are for a single instance deployment. In the case of distributed deployment, use the path $SPLUNK_HOME/etc/shcluster/apps/

Install the Splunk App for Unix and Linux using Splunk Web

Complete the following steps to install the Splunk App for Unix and Linux using Splunk Web:

  1. Download the Splunk App for Unix and Linux from Splunkbase, or by browsing to it using Splunk Web.
  2. From the Splunk Web home screen, click the gear icon next to Apps.
  3. Click Install app from file.
  4. Locate the downloaded app file and click Upload.
  5. Restart the Splunk platform.

Install the Splunk App for Unix and Linux from the command line

Complete the following steps to install the Splunk App for Unix and Linux using the command line:

  1. Download the Splunk App for Unix and Linux from Splunkbase.
  2. Unpack the file.
  3. Copy the splunk_app_for_nix directory to $SPLUNK_HOME/etc/apps.
  4. Restart the Splunk platform.

Upgrade the Splunk App for Unix and Linux

You can upgrade directly from versions 5.2.2 and later of the Splunk App for Unix and Linux through Splunk's in-app upgrade feature within Splunk Web, or from the command line.

Upgrade from versions 4.7 through 5.2.1

Versions 5.2.2 and later of the Splunk App for Unix and Linux do not include the SA-nix file. If you are upgrading from versions 4.7 through 5.2.1, complete the following steps to keep the categories and groups that you have configured:

  1. Copy the dropdowns.csv file. In a single-instance deployment, the file is in etc/apps/SA-nix/lookups/. In a distributed deployment, the file is in $SPLUNK_HOME/etc/shcluster/apps.
  2. Move the copied dropdowns.csv file to etc/apps/splunk_app_for_nix/lookups/ for a single instance deployment or to $SPLUNK_HOME/etc/shcluster/apps for a distributed deployment.
  3. Manually delete SA-nix from your apps folder.

Upgrade from version 4.6.x and earlier

Upgrading from version 4.6.x of the Splunk App for Unix and Linux in unsupported. You can run version 4.6 simultaneously with another version.

The installation package for version 5.2.5 installs in a different directory than version 4.6. Once you have installed version 5.2.5, you can configure version 5.2.5 to use the same indexes and source types that version 4.6 uses.

For detailed installation instructions, see Install the Splunk App for Unix and Linux.

Do not install version 5.2.5 in the same directory that any version earlier than 5.0 uses. That older directory is not supported, and installing version 5.2.5 there can render both versions of the app unusable.

Once you have configured and evaluated version 5.2.5, you can remove version 4.6 without data loss.

Last modified on 04 March, 2020
What a Splunk App for Unix and Linux deployment looks like   Install the Splunk Add-on for Unix and Linux

This documentation applies to the following versions of Splunk® App for Unix and Linux (Legacy): 5.2.5

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters