All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to install Splunk TA for Unix on a Universal Forwarder?

kmsnyde
Explorer
‎06-05-2013 08:52 AM

The document that provides instructions on how to install Splunk TA for Unix on a Universal Forwarder is for a .tar.gz file. However, the downloaded version I received from Splunk Apps is .tgz file version. When I open this file, the README does not contain installation instructions. How do I install the file named Splunk_TA_nix-4.7.0-156739.tgz on a RHEL Universal Forwarder?

Reply
1 Solution
Solved! Jump to solution
Solution

khourihan_splun
Splunk Employee
Splunk Employee
‎04-22-2014 06:29 PM

Here's a slight longer answer with pictures. Just wrote this up for a Splunk Cloud customer, thought I'd share with you guys:

If you haven’t setup a forwarder and a TA before, it’s a bit tricky.

You will need to download and install the forwarder, then install the Technology Add-on you can download it at apps.splunk.com. Make sure you get the TA not the app.

You should read this page, and specifically here, on how to setup your forwarder and Unix TA (Technology addon – that goes out and collects the lsof, netstat, vmstat etc… date)

The tricky part is : after you install the forwarder, and the TA, you still need to enable the inputs, so you can run this script:

$SPLUNK_HOME/bin/splunk cmd $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/setup.sh

You login using the default creds, assuming you haven’t changed them its admin / changeme

And that gives you a menu:

*** Splunk> *nix command-line setup > MAIN MENU ***

You are currently managing Splunk server 'localhost.localdomain'

    Please choose from one of the following options:

1 - show *nix input status
2 - manage *nix inputs
3 - install/upgrade app
4 - change credentials
5 - connect to remote instance

0 - logout and exit program

Enter selection:

Select 2, and then you can just enable all, or whatever you want really. 

*** Splunk> *nix command-line setup > MANAGE INPUTS ***

You are currently managing Splunk server 'localhost.localdomain'

    Please choose from one of the following options:

1 - manage one input
2 - enable all inputs
3 - disable all inputs
4 - go back to main menu

0 - logout and exit program

Enter selection:

To start, probably choose #2, then we can tune it back later .

Then, After you ‘0’ you can return to your trial and hit up the app. You’ll see data now:

alt text

Regards,
Kyle

View solution in original post

Reply
Solved! Jump to solution

samywee
New Member
‎03-12-2017 12:47 PM

setup.sh did not run on my ubuntu 16.04 server. Issue with function definition for /bin/sh.

I had to chage the first line from #!/bin/sh to #!/bin/bash

0 Karma
Reply
Solved! Jump to solution
Solution

khourihan_splun
Splunk Employee
Splunk Employee
‎04-22-2014 06:29 PM

Here's a slight longer answer with pictures. Just wrote this up for a Splunk Cloud customer, thought I'd share with you guys:

If you haven’t setup a forwarder and a TA before, it’s a bit tricky.

You will need to download and install the forwarder, then install the Technology Add-on you can download it at apps.splunk.com. Make sure you get the TA not the app.

You should read this page, and specifically here, on how to setup your forwarder and Unix TA (Technology addon – that goes out and collects the lsof, netstat, vmstat etc… date)

The tricky part is : after you install the forwarder, and the TA, you still need to enable the inputs, so you can run this script:

$SPLUNK_HOME/bin/splunk cmd $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/setup.sh

You login using the default creds, assuming you haven’t changed them its admin / changeme

And that gives you a menu:

*** Splunk> *nix command-line setup > MAIN MENU ***

You are currently managing Splunk server 'localhost.localdomain'

    Please choose from one of the following options:

1 - show *nix input status
2 - manage *nix inputs
3 - install/upgrade app
4 - change credentials
5 - connect to remote instance

0 - logout and exit program

Enter selection:

Select 2, and then you can just enable all, or whatever you want really. 

*** Splunk> *nix command-line setup > MANAGE INPUTS ***

You are currently managing Splunk server 'localhost.localdomain'

    Please choose from one of the following options:

1 - manage one input
2 - enable all inputs
3 - disable all inputs
4 - go back to main menu

0 - logout and exit program

Enter selection:

To start, probably choose #2, then we can tune it back later .

Then, After you ‘0’ you can return to your trial and hit up the app. You’ll see data now:

alt text

Regards,
Kyle

Reply
Solved! Jump to solution

alexlit
Explorer
‎12-03-2015 03:47 PM

I have done that,
But I still get nothing when I hit the APP>

Do you know what could be a problem?

0 Karma
Reply
Solved! Jump to solution

malmoore
Splunk Employee
Splunk Employee
‎06-05-2013 10:45 AM

Hi kmsnyde,

.tar.gz and .tgz are the exact same type of file. Your *nix system should have no trouble reading the file.

You can install the TA using the same instructions.

Reply
Solved! Jump to solution

kmsnyde
Explorer
‎06-05-2013 10:55 AM

Thanks. Those are the instructions I have but I did not realize (or try) that it would work the same (substituting the file extension).

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...