All Apps and Add-ons
Highlighted

How to install Splunk TA for Unix on a Universal Forwarder?

Explorer

The document that provides instructions on how to install Splunk TA for Unix on a Universal Forwarder is for a .tar.gz file. However, the downloaded version I received from Splunk Apps is .tgz file version. When I open this file, the README does not contain installation instructions. How do I install the file named SplunkTAnix-4.7.0-156739.tgz on a RHEL Universal Forwarder?

Highlighted

Re: How to install Splunk TA for Unix on a Universal Forwarder?

Splunk Employee
Splunk Employee

Hi kmsnyde,

.tar.gz and .tgz are the exact same type of file. Your *nix system should have no trouble reading the file.

You can install the TA using the same instructions.

Highlighted

Re: How to install Splunk TA for Unix on a Universal Forwarder?

Explorer

Thanks. Those are the instructions I have but I did not realize (or try) that it would work the same (substituting the file extension).

0 Karma
Highlighted

Re: How to install Splunk TA for Unix on a Universal Forwarder?

Splunk Employee
Splunk Employee

Here's a slight longer answer with pictures. Just wrote this up for a Splunk Cloud customer, thought I'd share with you guys:

If you haven’t setup a forwarder and a TA before, it’s a bit tricky.

You will need to download and install the forwarder, then install the Technology Add-on you can download it at apps.splunk.com. Make sure you get the TA not the app.

You should read this page, and specifically here, on how to setup your forwarder and Unix TA (Technology addon – that goes out and collects the lsof, netstat, vmstat etc… date)

The tricky part is : after you install the forwarder, and the TA, you still need to enable the inputs, so you can run this script:

$SPLUNKHOME/bin/splunk cmd $SPLUNKHOME/etc/apps/SplunkTAnix/bin/setup.sh

You login using the default creds, assuming you haven’t changed them its admin / changeme

And that gives you a menu:

*** Splunk> *nix command-line setup > MAIN MENU ***

You are currently managing Splunk server 'localhost.localdomain'

    Please choose from one of the following options:

1 - show *nix input status
2 - manage *nix inputs
3 - install/upgrade app
4 - change credentials
5 - connect to remote instance

0 - logout and exit program

Enter selection:

Select 2, and then you can just enable all, or whatever you want really.

*** Splunk> *nix command-line setup > MANAGE INPUTS ***

You are currently managing Splunk server 'localhost.localdomain'

    Please choose from one of the following options:

1 - manage one input
2 - enable all inputs
3 - disable all inputs
4 - go back to main menu

0 - logout and exit program

Enter selection:

To start, probably choose #2, then we can tune it back later .

Then, After you ‘0’ you can return to your trial and hit up the app. You’ll see data now:

alt text

Regards,
Kyle

View solution in original post

Highlighted

Re: How to install Splunk TA for Unix on a Universal Forwarder?

Explorer

I have done that,
But I still get nothing when I hit the APP>

Do you know what could be a problem?

0 Karma
Highlighted

Re: How to install Splunk TA for Unix on a Universal Forwarder?

New Member

setup.sh did not run on my ubuntu 16.04 server. Issue with function definition for /bin/sh.

I had to chage the first line from #!/bin/sh to #!/bin/bash

0 Karma