topic Re: Splunk 4.2 Universal Forwarder *nix app install via CLI in Getting Data In

Splunk 4.2 Universal Forwarder *nix app install via CLI

monkeybox — Tue, 29 Mar 2011 05:42:34 GMT

I am running a Linux box as an indexer and have multiple servers feeding data back to the index. The issue I am having is a simple one but I cannot find a very straight forward answer. Forgive me if this question has been answered but I have only been successful in finding variations of the question. I have 4 unix boxes that I have the new universal forwarders set up on. The initial set up went smoothly and the data is being fed into the deployment manager. Since there is no browser interface I need to install the *nix app via the terminal. What is the correct syntax to accomplish this? the only data I am receiving from my forwarders is splunk information.

example: 03/18/2011 19:30:00, search_name="All indexers - regenerator", search_now=1300503600.000, info_min_time=1300501800.000, info_max_time=1300503600.000, info_search_time=1300503640.924, avg_age=0, indexQ_percentage=0, kb="2420.735356", my_splunk_server="access-root", parseQ_percentage=0, report="\"DM indexer summary index\""

I was hoping to install the *nix app in order to collect more important data such as syslogs. Without having to manually forward them. Since this is something the forwarder should do.

Any help would be appreciated.

Thanks, Miguel

Re: Splunk 4.2 Universal Forwarder *nix app install via CLI

Genti — Tue, 29 Mar 2011 07:28:37 GMT

Miguel,

There is currently a bug with installing Splunk 4.2 UF via the CLI.

http://answers.splunk.com/questions/13073/installing-setting-up-unix-app-with-universal-forwarder/13078#13078

However, you can still easily install the app via the configuration files. Here is a quick installation guide:

1 - Download the Unix app from splunkbase
2 - untar the package in the /splunk/etc/apps directory so that it looks like: /splunk/etc/apps/unix
3 - Copy /splunk/etc/apps/unix/default/app.conf to /splunk/etc/apps/unix/local/app.conf
4 - Edit the app.conf in the local directory to say: app=enabled
5 - Copy /splunk/etc/apps/unix/default/inputs.conf to /splunk/etc/apps/unix/local/
6 - Edit /splunk/etc/apps/unix/local/inputs.conf so that you ENABLE (set to 1) each and all inputs you would like to send to the indexer.
7 - Restart splunk

(Assuming youve already set up forwarding/receiving) This should do it...

Re: Splunk 4.2 Universal Forwarder *nix app install via CLI

yannK — Tue, 29 Mar 2011 07:33:52 GMT

You will have to use the CLI, or modify directly the configuration files.

download the unix app from splunkbase http://splunkbase.splunk.com/apps/All/4.x/App/app:Splunk+for+Unix+and+Linux, untar the file in $SPLUNK_HOME/etc/apps/
restart splunk, and enable the app from cd $SPLUNK_HOME/bin ./splunk enable app unix
to tune your inputs, modify the $SPLUNK_HOME/etc/apps/unix/local/inputs.conf and restart to apply.

You can check the result of your configuration with ./btool inputs list

Re: Splunk 4.2 Universal Forwarder *nix app install via CLI

monkeybox — Wed, 30 Mar 2011 00:32:16 GMT

Exactly what I was looking for. Thank you. It appears to have gone smoothly. Should I be looking for data sent from forwarders under my deployment manager/search app/ or my indexers *nix app? Thanks again.

Re: Splunk 4.2 Universal Forwarder *nix app install via CLI

Genti — Wed, 30 Mar 2011 02:23:23 GMT

you should be able to see the data from both apps, as long as you specify index=os on the search app. (the unix app has that by default)

Re: Splunk 4.2 Universal Forwarder *nix app install via CLI

splunkdsf — Sat, 02 Apr 2011 14:55:56 GMT

After I follow these instructions, I start the application (splunk start) -- all is fine.

Then I do ==> enable the app from cd $SPLUNK_HOME/bin ./splunk enable app unix

It returns:

Your session is invalid. Please login. Splunk username: admin Password: Splunk is not running, and it must be for this operation. To start splunk, run "splunk start".

if i enter the incorrect password it lets me know... the correct password shuts it off. Any ideas? thanks.

Re: Splunk 4.2 Universal Forwarder *nix app install via CLI

hugocvg — Wed, 20 Mar 2013 21:59:48 GMT

what command you run to enable unix app?