Hello
We have a search head clustering setup and deployment servers. We need to implement Splunk Add-on for Unix and Linux to monitors hosts. How can we do that?
The general approach for DS managed app is as follows:
Login to GUI of DS
Install app (e.g. Linux TA) on DS
Login to CLI of DS
su - splunk
mv $SPLUNK_HOME/etc/aps/Splunk_TA_nix $SPLUK_HOME/etc/deployment-apps/
cd $SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix/
rm -rf samples
mkdir local
cd local
cp ../default/inputs.conf .
vi inputs.conf
Remove every line EXCEPT for the stanza headers (lines that start with [
and end with ]
) and the disabed =
lines.
For any input that you desire, change the disabled = 1
(or disabled = true
) lines to disabled = false
.
Save the file.
Push it out.
Do you guys have specific things you monitor though? 200MB per day per server seems really high.
The general approach for DS managed app is as follows:
Login to GUI of DS
Install app (e.g. Linux TA) on DS
Login to CLI of DS
su - splunk
mv $SPLUNK_HOME/etc/aps/Splunk_TA_nix $SPLUK_HOME/etc/deployment-apps/
cd $SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix/
rm -rf samples
mkdir local
cd local
cp ../default/inputs.conf .
vi inputs.conf
Remove every line EXCEPT for the stanza headers (lines that start with [
and end with ]
) and the disabed =
lines.
For any input that you desire, change the disabled = 1
(or disabled = true
) lines to disabled = false
.
Save the file.
Push it out.
Also, set is_visible=false
in app.conf
in the local
directory. This will keep people from interacting with it on your Search Head and messing up your settings.
Do you guys have specific things you monitor though? 200MB per day per server seems really high.
Building on the brilliance of @woodcock, What are the best practices to create a local configuration file?
I just use the CLI and copy app.conf
from some other app. If the local
directory does not exist in your app, just do mkdir local
.
I'm slightly confused by "monitor hosts" . Do you want to send the TA to the client systems or you thinking it just in your Clustering systems?
But in general, this is how you to do
1. Planning and Design => Decide your organisations Linux monitoring requirements and enable ONLY them in a separate app by copying the stanza from Splunk_TA_nix. (eg MY_nix_inputs/local/inputs.conf).
2. Endpoints/Clients via UF => Push Splunk_TA_nix && MY_nix_inputs app to relevant client systems which has Splunk Universal Forwarders (UF) installed and send the data to your Splunk cluster. Manage both the apps via your deployment server
3. Indexers => Install the Splunk_TA_nix in your indexers (slave-apps) or use the Splunk_TA_for_indexers (just the index time configs) to your Indexer via Cluster Master
4. Search Head Cluster => Install Splunk_TA_nix to your SH Cluster via deployer.
5. Heavy Forwarders => If you have HF in between clients and Indexers, install the TA via deployment server.