All Apps and Add-ons

Can you help me use the Splunk App for Infrastructure with a non-Internet Facing System?

rriegert
New Member

I've been reviewing the Splunk app for Infrastructure. It appears that the script created by the app to set up the Universal Forwarder(UF) for metrics data ingestion attempts to go to the internet to download and install the UF with a bunch of switches/config baked into the script.

Our systems do not have internet access, so I'm wondering if anyone else has traveled this road before me and can give me guidance before I attempt to dissect and customize the Get Data generated UF install Script to meet my "offline install" need.

Thanks for your help.

0 Karma
1 Solution

dagarwal_splunk
Splunk Employee
Splunk Employee
  • This is a sample inputs.conf for UF that you can try. Modify it based on your requirements:

[perfmon://CPU Load]
counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time;% Reserved Time;% Interrupt Time
instances = *
interval = 30
object = Processor
index = em_metrics
_meta = os::"Microsoft Windows"

[perfmon://Physical Disk]
counters = % Disk Read Time;% Disk Write Time
instances = *
interval = 30
object = PhysicalDisk
index = em_metrics
_meta = os::"Microsoft Windows"

[perfmon://Network Interface]
counters = Bytes Received/sec;Bytes Sent/sec;Packets Received/sec;Packets Sent/sec;Packets Received Errors;Packets Outbound Errors
instances = *
interval = 30
object = Network Interface
index = em_metrics
_meta = os::"Microsoft Windows"

[perfmon://Available Memory]
counters = Cache Bytes;% Committed Bytes In Use;Page Reads/sec;Pages Input/sec;Pages Output/sec;Committed Bytes;Available Bytes
interval = 30
object = Memory
index = em_metrics
_meta = os::"Microsoft Windows"

[perfmon://System]
counters = Processor Queue Length;Threads
instances = *
interval = 30
object = System
index = em_metrics
_meta = os::"Microsoft Windows"

[perfmon://Process]
counters = % Processor Time;% User Time;% Privileged Time
instances = *
interval = 30
object = Process
index = em_metrics
_meta = os::"Microsoft Windows"

[perfmon://Free Disk Space]
counters = Free Megabytes;% Free Space
instances = *
interval = 30
object = LogicalDisk
index = em_metrics
_meta = os::"Microsoft Windows"

[monitor://$SPLUNK_HOME\var\log\splunk*.log*]
sourcetype = uf
disabled = false

[WinEventLog://Application]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

[WinEventLog://Security]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

[WinEventLog://System]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

  • Configure UF outputs.conf to send data to your SAI(Splunk App for Infrastructure).
    • You might need Splunk Add-on for Infrastructure installed in Splunk Enterprise depending on SAI version.

View solution in original post

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee
  • This is a sample inputs.conf for UF that you can try. Modify it based on your requirements:

[perfmon://CPU Load]
counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time;% Reserved Time;% Interrupt Time
instances = *
interval = 30
object = Processor
index = em_metrics
_meta = os::"Microsoft Windows"

[perfmon://Physical Disk]
counters = % Disk Read Time;% Disk Write Time
instances = *
interval = 30
object = PhysicalDisk
index = em_metrics
_meta = os::"Microsoft Windows"

[perfmon://Network Interface]
counters = Bytes Received/sec;Bytes Sent/sec;Packets Received/sec;Packets Sent/sec;Packets Received Errors;Packets Outbound Errors
instances = *
interval = 30
object = Network Interface
index = em_metrics
_meta = os::"Microsoft Windows"

[perfmon://Available Memory]
counters = Cache Bytes;% Committed Bytes In Use;Page Reads/sec;Pages Input/sec;Pages Output/sec;Committed Bytes;Available Bytes
interval = 30
object = Memory
index = em_metrics
_meta = os::"Microsoft Windows"

[perfmon://System]
counters = Processor Queue Length;Threads
instances = *
interval = 30
object = System
index = em_metrics
_meta = os::"Microsoft Windows"

[perfmon://Process]
counters = % Processor Time;% User Time;% Privileged Time
instances = *
interval = 30
object = Process
index = em_metrics
_meta = os::"Microsoft Windows"

[perfmon://Free Disk Space]
counters = Free Megabytes;% Free Space
instances = *
interval = 30
object = LogicalDisk
index = em_metrics
_meta = os::"Microsoft Windows"

[monitor://$SPLUNK_HOME\var\log\splunk*.log*]
sourcetype = uf
disabled = false

[WinEventLog://Application]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

[WinEventLog://Security]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

[WinEventLog://System]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

  • Configure UF outputs.conf to send data to your SAI(Splunk App for Infrastructure).
    • You might need Splunk Add-on for Infrastructure installed in Splunk Enterprise depending on SAI version.

View solution in original post

0 Karma

rriegert
New Member

Yeah, I already have forwarders deployed so i was really just looking at the inputs.conf config that the installer provided so i can tweak them where necessary. We use indexer clustering, and I have deployed the add-on to that tier. We also use search head clustering, so I have deployed the Splunk App for Infrastructure to that Tier. In terms of the outputs.conf recommendation, there's the monitoring machine field in the "Add Data" page of the App for Infrastructure. Would that be the search head tier, or the indexing tier? What is the recommended way to designate a cluster for that field? IP\hostnames seperated by commas? A loadbalancer that then forwards the data across the correct tier? What does that outputs.conf configuration look like. The install docs talk about using a Heavy Forwarder as the data pipeline, but we are currently sending UF data directly to the Indexers.

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

monitoring_machine will be indexers in your case.
you should be able to use this doc set up your outputs.conf
http://docs.splunk.com/Documentation/Splunk/7.2.1/Forwarding/Setuploadbalancingd

0 Karma

rriegert
New Member

Thanks for the info. Just curious, what does the inputs.conf file look if you select "Collect data for each CPU" vs. "Collect sum for all CPU's?". Also, how do dimensions look in the inputs.conf file? For example, say I wanted to designate web server in Seattle? In the Dimensions field in Add Data via the App, I'm assuming i'd put in location:seattle and role:webserver, but I'm unsure how that configuration would look in the inputs file. Also, are there known dimension identifiers such as "location" or "role", or is it really whatever we dream up?

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

instances = * ** OR **instances = _Total for CPU Load

Add dimensions in _meta field in inputs.conf:

Example:

_meta = os::"Microsoft Windows" location::seattle anykey::anyvalue

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

Are you trying to monitor windows server or Linux?

0 Karma

rriegert
New Member

MS Windows

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!