All Apps and Add-ons

Can you help me to Install the Splunk Add-on for Unix and Linux?

genesiusj
Builder

Hello,

This is what is listed in the documentation for the Splunk Add-on for Unix and Linux.

https://docs.splunk.com/Documentation/UnixApp/5.2.5/User/InstalltheSplunkAppforUnixandLinux

Create an index

The Spunk Add-on for Unix and Linux is a separate download from Splunkbase. Versions 6.0.0 and later of the Splunk Add-on for Unix and Linux do not include indexes. For the Splunk App for Unix and Linux, complete the following steps to create an index on your indexer:

  1. Make a local directory in the splunk_app_for_nix folder if you don't have one already.
  2. From the app's Default directory, copy macros.conf and savedsearches.conf into your local directory.
  3. Edit the os-index macro in macros.conf as follows: index=os. You can also make a custom index: index=.
  4. Edit the fired_alerts saved search in savedsearches.conf as follows: | rest /services/search/jobs | search [search index=_audit action=alert_fired | fields sid] | collect index=os. This is the environment on our Indexer. There is no splunk_app_for_nix folder on the Indexer.

Note: I bolded every other file/folder to make it easier to read this post.

[root@splnkIndexer splunk]# ls
    **bin**            include           **openssl**            splunk-7.2.2-48f4f251be37-linux-2.6-x86_64-manifest
    **copyright.txt**  lib               **README-splunk.txt**  var
    **etc**            license-eula.txt  **share**

[root@splnkIndexer splunk]# cd etc
[root@splnkIndexer etc]# ls
   **anonymizer**       log-btool-debug.cfg    **passwd**
   apps             **log.cfg**                prettyprint.xsl
   **auth**             log-cmdline.cfg        **regid.2001-12.com.splunk-Splunk-Enterprise.swidtag**
   copyright.txt    **log-cmdline-debug.cfg**  searchLanguage.xml
   **datetime.xml**     log-debug.cfg          **shcluster**
   deployment-apps  **login-info.cfg**         splunk-enttrial.lic
   **disabled-apps**    log-searchprocess.cfg  **splunk-launch.conf**
   findlogs.ini     **log-utility.cfg**        splunk-launch.conf.default
   **init.d**           master-apps            **splunk.version**
   instance.cfg     **modules**                system
   **licenses**         myinstall              **users**
   log-btool.cfg    **openldap**

[root@splnkIndexer etc]# cd apps
[root@splnkIndexer apps]# ls
   **alert_logevent**  introspection_generator_addon  **search**           splunk_httpinput           **Splunk_TA_windows**
   alert_webhook   **launcher**                       sendtoindexer    **splunk_instrumentation**     user-prefs
   **appsbrowser**     learned                        **splunk_archiver**  SplunkLightForwarder
   **framework**       legacy                         **SplunkForwarder**  splunk_monitoring_console
   **gettingstarted**  sample_app                     **splunk_gdi**       Splunk_TA_nix

Note: The Splunk Add-on for Unix and Linux is installed on both the Indexer and the Search Head.

Thanks in advance for any direction/help.

I added a code sample box, since I cannot attach a file, to better explain what I have tried and how the documentation is confusing at best. I hope this is not too confusing for you.

Reading the documentation for Install and Use the Splunk App for Unix and Linux there is a page Install the Splunk App for Unix and Linux
https://docs.splunk.com/Documentation/UnixApp/5.2.5/User/InstalltheSplunkAppforUnixandLinux
This page reads
Create an index
The Spunk Add-on for Unix and Linux is a separate download from Splunkbase. Versions 6.0.0 and later of the Splunk Add-on for Unix and Linux do not include indexes. For the Splunk App for Unix and Linux, complete the following steps to create an index on your indexer: 
1.  Make a local directory in the splunk_app_for_nix folder if you don't have one already.
2.  From the app's Default directory, copy macros.conf and savedsearches.conf into your local directory. 
3.  Edit the os-index macro in macros.conf as follows: index=os. 
You can also make a custom index: index=<custom index>. 
4.  Edit the fired_alerts saved search in savedsearches.conf as follows: 
| rest /services/search/jobs | search [search index=_audit action=alert_fired | fields sid] | collect index=os. 
The splunk_app_for_nix folder does not exist. See below for the folder structure on our Splunk Indexer.
1.  [root@splnkIndexer splunk]# ls
2.       **bin**            include           **openssl**            splunk-7.2.2-48f4f251be37-linux-2.6-x86_64-manifest
3.       **copyright.txt**  lib               **README-splunk.txt**  var
4.       **etc**            license-eula.txt  **share**
5.   
6.   [root@splnkIndexer splunk]# cd etc
7.   [root@splnkIndexer etc]# ls
8.      **anonymizer**       log-btool-debug.cfg    **passwd**
9.      apps             **log.cfg**                prettyprint.xsl
10.     **auth**             log-cmdline.cfg        **regid.2001-12.com.splunk-Splunk-Enterprise.swidtag**
11.     copyright.txt    **log-cmdline-debug.cfg**  searchLanguage.xml
12.     **datetime.xml**     log-debug.cfg          **shcluster**
13.     deployment-apps  **login-info.cfg**         splunk-enttrial.lic
14.     **disabled-apps**    log-searchprocess.cfg  **splunk-launch.conf**
15.     findlogs.ini     **log-utility.cfg**        splunk-launch.conf.default
16.     **init.d**           master-apps            **splunk.version**
17.     instance.cfg     **modules**                system
18.     **licenses**         myinstall              **users**
19.     log-btool.cfg    **openldap**
20.  
21.  [root@splnkIndexer etc]# cd apps
22.  [root@splnkIndexer apps]# ls
23.     **alert_logevent**  introspection_generator_addon  **search**           splunk_httpinput           **Splunk_TA_windows**
24.     alert_webhook   **launcher**                       sendtoindexer    **splunk_instrumentation**     user-prefs
25.     **appsbrowser**     learned                        **splunk_archiver**  SplunkLightForwarder
26.     **framework**       legacy                         **SplunkForwarder**  splunk_monitoring_console
27.     **gettingstarted**  sample_app                     **splunk_gdi**       Splunk_TA_nix
Elsewhere in the Splunk documentation there is another page Install the Splunk App for Unix and Linux in a distributed Splunk environment
https://docs.splunk.com/Documentation/UnixApp/5.2.5/User/DeploytheSplunkAppforUnixandLinuxinadistributedSplunkenvironment
This page reads
Splunk App and Add-on for Unix and Linux Installation Locations: 
Component   Search Head / Search Head Cluster   Indexer     Forwarder   Deployment Server 
App: splunk_app_for_nix                            X            
Add-on: Splunk_TA_nix                          X          X             X                X 

Install the Splunk App for Unix and Linux on a search head
After you install the Splunk App for Unix and Linux on your indexers, you must configure and install the app onto search heads which search the indexers. Once you have installed the app onto search heads, you can then log into the search heads and view the incoming *nix data. 
If you have a search head cluster, follow the instructions at "Install the Splunk App for Unix and Linux on a search head cluster" later in this topic. 
To install the Splunk App for Unix and Linux on a search head: 
1.  Identify the hosts that will act as search heads in your Splunk App for Unix and Linux deployment.
2.  Install Splunk Enterprise onto each of these computers, if it is not already installed.
3.  On each host, configure Splunk Enterprise to search across all of the indexers in the deployment that will store *nix data.
4.  Follow the instructions in "Install the Splunk App for Unix and Linux on a single server" to place the Splunk App for Unix and Linux components on each search head.
5.  Restart Splunk Enterprise to complete the app installation.
See the red highlighted text above. These instructions appear to be cyclical and not helpful.
After you install the Splunk App for Unix and Linux on your indexers – according the table above you DON’T install the Splunk App for Unix and Linux on indexers.
"Install the Splunk App for Unix and Linux on a single server" – this link directs back to the first page mentioned in this document, which brings me back to the same issue. BTW, the titled is “…Linux on a single server”. Meanwhile the page is titled “Install the Splunk App for Unix and Linux”; single is not mentioned; even within the page itself except within the section on Upgrade the Splunk App for Unix and Linux.

God bless,

Genesius

0 Karma

integratorz
Path Finder

@genesiusj splunk_app_for_nix is the application that holds all of the dashboards / lookups / savedsearches etc. This would be what is on your search head. Your indexer will have the Splunk Add-on for Unix and Linux a.k.a Splunk_TA_nix. This is present in your list under the $SPLUNK_HOME/etc/apps. The app comes with all the prebuilt dashboards and saved searches that use a macro to specify which index to find the *nix data. You may have used a custom index, or just used the default index=os. In order for the app
splunk_app_for_nix to know where the data resides, you can follow the directions on splunkbase to edit the macro specified. Its important to remember that apps almost always reside on the search heads and contain knowledge objects. TAs on the other hand could reside on a SH / HF / IDX / UF. Where and when these are required depends on what you are looking to do with the data.s

lakshman239
SplunkTrust
SplunkTrust

Whats the issue you are facing? seems like the install is done correctly. You can configure your inputs.conf to send data/logs to any index of your choice.

0 Karma

genesiusj
Builder

laskhman,
No install of the app has been undertaken. I was attempting to follow the documentation and it lists a procedure for adding indexes to the indexer.
1. Make a local directory in the splunk_app_for_nix folder if you don't have one already.
There is no splunk_app_for_nix folder on the indexer.

I think I may have found the issue.
Install the Splunk App for Unix and Linux is one of the sections in the online Splunk documentation, and the section I was using/referring to.
Checking further into the online doc is another section, Install the Splunk App for Unix and Linux in a distributed Splunk environment. I'm going to follow those procedures and report back.

However, it would have been easier to follow if that first section was renamed from Install the Splunk App for Unix and Linux to Install the Splunk App for Unix and Linux in a standalone Splunk environment

Thanks for your help and God bless,
Genesius

PS Found possible typos on this page.
https://docs.splunk.com/Documentation/UnixApp/5.2.5/User/DeploytheSplunkAppforUnixandLinuxinadistrib...

Splunk App and Add-on for Unix and Linux Installation Locations:
Component Search Head / Search Head Cluster Indexer Forwarder Deployment Server
App: splunk_app_for_nix X

Add-on: Splunk_TA_nix X X X X

However, the a few paragraphs later reads
Install the Splunk App for Unix and Linux on a search head
After you install the Splunk App for Unix and Linux on your indexers, you must configure and install the app onto search heads which search the indexers.

Should this have been written as
Install the Splunk App for Unix and Linux on a search head
After you install the Splunk Addon for Unix and Linux on your indexers, you must configure and install the Splunk App for Unix and Linux onto search heads which search the indexers.

God bless,
Genesius

0 Karma

ccornell_splunk
Splunk Employee
Splunk Employee

Regarding the possible typo on https://docs.splunk.com/Documentation/UnixApp/5.2.5/User/DeploytheSplunkAppforUnixandLinuxinadistrib...

You're right, and I've fixed it up. Refresh the page and you will see the updated text. Thanks for catching that 🙂 If you catch other typos or doc issues, feel free to send the feedback right from that specific doc page (there's a feedback section at the bottom of every doc page).

0 Karma

genesiusj
Builder

@ccornell_splunk
Did you make the updates after my first posting, or on the update? Either way, I do not see any changes.
Thanks and God bless,
Genesius
PS I was able to upload a doc I would take screen shots, etc. of what I am experiencing.

0 Karma

ccornell_splunk
Splunk Employee
Splunk Employee

Refresh the page again? I made the updates today.

The workflow was not quite right as you noted. It now reads:

Install the Splunk App for Unix and Linux on a search head
After you install the Splunk Add-on for Unix and Linux on your indexers, you must configure and install the Splunk App for Unix and Linux onto search heads which search the indexers.

0 Karma

genesiusj
Builder

@ccornell_splunk
There are still issues. Apologies, I don't have the time to search for the typos, misdirected links, etc. This document should be taken offline and rechecked and modified accordingly.

https://docs.splunk.com/Documentation/UnixApp/5.2.5/User/DeploytheSplunkAppforUnixandLinuxinadistrib...

Steps to building a Splunk App for Unix and Linux deployment
7. Install the Splunk Add-on for Unix and Linux on the search head or search head cluster.
8. Install the Splunk App for Unix and Linux on the search head or search head cluster.

For the above the links are correct, but not the text.


Install the Splunk App for Unix and Linux on a search head
4. Follow the instructions in "Install the Splunk App for Unix and Linux on a single server" to place the Splunk App for Unix and Linux components on each search head.

For the above it reads "...Linux on a single server". When I mouse over the URL reads "InstalltheSplunkAppforUnixandLinux". Clicking this link takes me to the page that started this post; Install the Splunk App for Unix and Linux. This page should be renamed Install the Splunk App for Unix and Linux on a single server.
See below what happens when I click that link.


https://docs.splunk.com/Documentation/UnixApp/5.2.5/User/InstalltheSplunkAppforUnixandLinux

This leads me back to my issue with
"Create an index"
1. Make a local directory in the splunk_app_for_nix folder if you don't have one already.
2. From the app's Default directory, copy macros.conf and savedsearches.conf into your local directory.

There is no splunk_app_for_nix folder because the app hasn't been installed. The app hasn't been installed because the documentation circles me back to this page.


***Would it be possible for a Splunk engineer to post simple directions to install the app? Here's what we have:
1. Splunk Enterprise 7.x is installed.
2. We have separate physical servers: one as our indexer; the other as our search head.
3. We are a distributed environment; however, we are currently installing agents, etc. manually (not an issue for this post).
4. If you require any other info on our environment, please ask.


Thanks in advance for assisting with this now very pressing issue.

God bless,
Genesius

PS If there are any customers reading this and you have re-written this documentation to have to work, kindly attach in a comment to this post.

0 Karma

ccornell_splunk
Splunk Employee
Splunk Employee

Hi.

I've opened a doc task related to your feedback. I'll see what I can to to clarify things, be more specific on section headings and make sure the workflow is correct/logical (seems some errors have snuck in there over multiple edits/changes).

Clayton

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...