Install the Splunk App for Unix and Linux

The installation package for the Splunk App for Unix and Linux contains dashboards, reports, alerts, lookups, and macros for use with Splunk Web.

Create an index

The Splunk Add-on for Unix and Linux is a separate download from Splunkbase. Versions 6.0.0 and later of the Splunk Add-on for Unix and Linux do not include indexes. For the Splunk App for Unix and Linux, complete the following steps to create an index on your indexer:

1. Make a local directory in the splunk_app_for_nix folder if you don't have one already.
2. From the app's Default directory, copy macros.conf and savedsearches.conf into your local directory.
3. Edit the os_index macro in macros.conf as follows: index=os.
   You can also make a custom index: index=<custom index>.
4. Edit the fired_alerts saved search in savedsearches.conf as follows:
   | rest /services/search/jobs | search [search index=_audit action=alert_fired | fields sid] | collect index=os.

Install the Splunk App for Unix and Linux using Splunk Web

Complete the following steps to install the Splunk App for Unix and Linux using Splunk Web:

1. Download the Splunk App for Unix and Linux from Splunkbase, or by browsing to it using Splunk Web.
2. From the Splunk Web home screen, click the gear icon next to Apps.
3. Click Install app from file.
4. Locate the downloaded app file and click Upload.
5. Restart the Splunk platform.

Install the Splunk App for Unix and Linux from the command line

Complete the following steps to install the Splunk App for Unix and Linux using the command line:

1. Download the Splunk App for Unix and Linux from Splunkbase.
2. Unpack the file.
3. Copy the splunk_app_for_nix directory to $SPLUNK_HOME/etc/apps.
4. Restart the Splunk platform.

Upgrade the Splunk App for Unix and Linux

You can upgrade directly from versions 5.2.2 and later of the Splunk App for Unix and Linux through Splunk's in-app upgrade feature within Splunk Web, or from the command line.

Upgrade from versions 4.7 through 5.2.1

Versions 5.2.2 and later of the Splunk App for Unix and Linux do not include the SA-nix file. If you are upgrading from versions 4.7 through 5.2.1, complete the following steps to keep the categories and groups that you have configured:

1. Copy the dropdowns.csv file. In a single-instance deployment, the file is in etc/apps/SA-nix/lookups/. In a distributed deployment, the file is in $SPLUNK_HOME/etc/shcluster/apps.
2. Move the copied dropdowns.csv file to etc/apps/splunk_app_for_nix/lookups/ for a single instance deployment or to $SPLUNK_HOME/etc/shcluster/apps for a distributed deployment.
3. Manually delete SA-nix from your apps folder.

Upgrade from version 4.6.x and earlier

Upgrading from version 4.6.x of the Splunk App for Unix and Linux in unsupported. You can run version 4.6 simultaneously with another version.

The installation package for version 5.2.5 installs in a different directory than version 4.6. Once you have installed version 5.2.5, you can configure version 5.2.5 to use the same indexes and source types that version 4.6 uses.

For detailed installation instructions, see Install the Splunk App for Unix and Linux.

Do not install version 5.2.5 in the same directory that any version earlier than 5.0 uses. That older directory is not supported, and installing version 5.2.5 there can render both versions of the app unusable.

Once you have configured and evaluated version 5.2.5, you can remove version 4.6 without data loss.

Upgrade from version 5.2.5 to version 6.0.0

Complete the following steps for a single instance deployment. In case of a distributed deployment, use the $SPLUNK_HOME/etc/shcluster/apps/ path.

1. Stop Splunk.
2. In version 5.2.5 $SPLUNK_HOME/etc/apps/splunk_app_for_nix, rename appserver folder to appserver_backup.
3. In version 5.2.5 $SPLUNK_HOME/etc/apps/splunk_app_for_nix/default/data/ui/views folder, rename the following:
   1. browser_incompatibility.xml to browser_incompatibility.xml.backup
   2. home_fullscreen.xml to home_fullscreen.xml.backup
4. Copy dropdowns.csv from $SPLUNK_HOME/etc/apps/splunk_app_for_nix/lookups.
5. If you are upgrading the app from the user interface, copy indexes.conf from $SPLUNK_HOME/etc/apps/splunk_app_for_nix/default to $SPLUNK_HOME/etc/apps/splunk_app_for_nix/local. If you are not updating the app from the user interface, skip this step.
6. Untar the new app package in $SPLUNK_HOME/etc/apps.
7. Place the copied dropdowns.csv from step 4 to $SPLUNK_HOME/etc/apps/splunk_app_for_nix/lookups of the new app.
8. Start Splunk.

Upgrade from version 6.0.0 to version 6.0.1

When to the Splunk App for Unix version 6.0.1 in the search head cluster environment, use "-preserve-lookups true" to retain previous lookup data on search heads.

For example, run splunk apply shcluster-bundle -target <URI>:<management_port> -preserve-lookups true -auth <username>:<password>.

Complete the following steps for a single instance deployment. In case of a distributed deployment, use the $SPLUNK_HOME/etc/shcluster/apps/ path.

1. Stop your Splunk platform.
2. Untar the new app package in $SPLUNK_HOME/etc/apps.
3. Start your Splunk platform.

Upgrade from version 6.0.1 to version 6.0.2

When upgrading to the Splunk App for Unix version 6.0.2 in the search head cluster environment, use -preserve-lookups true to retain previous lookup data on search heads.

For example, run splunk apply shcluster-bundle -target <URI>:<management_port> -preserve-lookups true -auth <username>:<password>.

Complete the following steps for a single instance deployment. In case of a distributed deployment, use the $SPLUNK_HOME/etc/shcluster/apps/ path.

1. Stop your Splunk platform.
2. Untar the new app package in $SPLUNK_HOME/etc/apps.
3. Start your Splunk platform.