Splunk® App for Unix and Linux

Install and Use the Splunk App for Unix and Linux

Download manual as PDF

Download topic as PDF

Install the Splunk App for Unix and Linux

The installation package for the Splunk App for Unix and Linux contains dashboards, reports, alerts, lookups, and macros for use with Splunk Web.

Create an index

The Splunk Add-on for Unix and Linux is a separate download from Splunkbase. Versions 6.0.0 and later of the Splunk Add-on for Unix and Linux do not include indexes. For the Splunk App for Unix and Linux, complete the following steps to create an index on your indexer:

  1. Make a local directory in the splunk_app_for_nix folder if you don't have one already.
  2. From the app's Default directory, copy macros.conf and savedsearches.conf into your local directory.
  3. Edit the os-index macro in macros.conf as follows: index=os.
    You can also make a custom index: index=<custom index>.
  4. Edit the fired_alerts saved search in savedsearches.conf as follows:
    | rest /services/search/jobs | search [search index=_audit action=alert_fired | fields sid] | collect index=os.

Install the Splunk App for Unix and Linux using Splunk Web

Complete the following steps to install the Splunk App for Unix and Linux using Splunk Web:

  1. Download the Splunk App for Unix and Linux from Splunkbase, or by browsing to it using Splunk Web.
  2. From the Splunk Web home screen, click the gear icon next to Apps.
  3. Click Install app from file.
  4. Locate the downloaded app file and click Upload.
  5. Restart the Splunk platform.

Install the Splunk App for Unix and Linux from the command line

Complete the following steps to install the Splunk App for Unix and Linux using the command line:

  1. Download the Splunk App for Unix and Linux from Splunkbase.
  2. Unpack the file.
  3. Copy the splunk_app_for_nix directory to $SPLUNK_HOME/etc/apps.
  4. Restart the Splunk platform.

Upgrade the Splunk App for Unix and Linux

You can upgrade directly from versions 5.2.2 and later of the Splunk App for Unix and Linux through Splunk's in-app upgrade feature within Splunk Web, or from the command line.

Upgrade from versions 4.7 through 5.2.1

Versions 5.2.2 and later of the Splunk App for Unix and Linux do not include the SA-nix file. If you are upgrading from versions 4.7 through 5.2.1, complete the following steps to keep the categories and groups that you have configured:

  1. Copy the dropdowns.csv file. In a single-instance deployment, the file is in etc/apps/SA-nix/lookups/. In a distributed deployment, the file is in $SPLUNK_HOME/etc/shcluster/apps.
  2. Move the copied dropdowns.csv file to etc/apps/splunk_app_for_nix/lookups/ for a single instance deployment or to $SPLUNK_HOME/etc/shcluster/apps for a distributed deployment.
  3. Manually delete SA-nix from your apps folder.

Upgrade from version 4.6.x and earlier

Upgrading from version 4.6.x of the Splunk App for Unix and Linux in unsupported. You can run version 4.6 simultaneously with another version.

The installation package for version 5.2.5 installs in a different directory than version 4.6. Once you have installed version 5.2.5, you can configure version 5.2.5 to use the same indexes and source types that version 4.6 uses.

For detailed installation instructions, see Install the Splunk App for Unix and Linux.

Do not install version 5.2.5 in the same directory that any version earlier than 5.0 uses. That older directory is not supported, and installing version 5.2.5 there can render both versions of the app unusable.

Once you have configured and evaluated version 5.2.5, you can remove version 4.6 without data loss.

PREVIOUS
What a Splunk App for Unix and Linux deployment looks like
  NEXT
Install the Splunk Add-on for Unix and Linux

This documentation applies to the following versions of Splunk® App for Unix and Linux: 5.2.5


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters