All Apps and Add-ons

Monitoring CPU,RAM, and disk usage of splunk forwarders

israbenbr
Explorer

Hello everyone,

I am posting this question because I didn't find any solution : 

I have a trial version of Splunk Enterprise, and i already added  forwarders in the servers i want to monitor

I am trying to install the Splunk add-on for unix and Linux on these forwarders to be able to monitor their cpu, ram and disk usage

The problem is that these machines are under ubuntu 20.04 without a graphic interface, and no option is available to download the .tgz file of this add-on directly via a command line, so i am unable to download this file on my forwarders

Any ideas ?

 

PS : If no link/command is available to do so, is there another way to import the ram,cpu and disk data from these forwarders ? 

 

Thank you in advance !

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @israbenbr,

at first, did you checked that the route between clients and the server are open?

you can check this using:

telnet ip_server_splunk 8089
telnet ip_server_splunk 9997

before the second check you have to enable receiving on the Splunk server [Settings -- Forwarding and Receiving -- Receiving] on one port (default 9997).

then you have to address the client to send logs to the Server, you can do this following the documentation at https://docs.splunk.com/Documentation/Forwarder/8.2.3/Forwarder/Configuretheuniversalforwarder

in few words, you have to run on the client in CLI 

./splunk add forward-server <host name or ip address>:<listening port>

In this way you create a file $SPLUNK_HOME/etc/system/local/outputs.conf that contains the address of the server to send logs.

In the same location, you'll have the file deploymentclient.conf, containing the address of the Deployment Server, in your test case, the same.

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @israbenbr,

you have two choices to deploy tour TA:

For a test you could also use the first method that's easier, but I hint to try the second one because it's the usual way in Splunk when you have many clients to deploy.

Ciao.

Giuseppe

0 Karma

israbenbr
Explorer

Hello,

thank you for your answer but that is not the problem

My problem is that i am not even able to download the TA on my forwarders, because the only option to do it is to connect to the splunk portal via a web interface, and my forwarders are all under ubuntu withtout a graphic interface

So i can not open a browser, because the only operations i can do are via command lines.

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @israbenbr,

if you can connect via SSH, you can follow the second method because the download to the client is managed by The Deployment Server.

Ciao.

Giuseppe

0 Karma

israbenbr
Explorer

Hey,

I am coming back because i have a problem : 

After configuring the forwarder to be a deployment client, this one doesn't show up on the deployment management on the server

I tried with another forwarder, same problem

I tried everything : restarting splunk on both the server and the client, but nothing works

Any ideas ? 

 

Thank you

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @israbenbr,

at first, did you checked that the route between clients and the server are open?

you can check this using:

telnet ip_server_splunk 8089
telnet ip_server_splunk 9997

before the second check you have to enable receiving on the Splunk server [Settings -- Forwarding and Receiving -- Receiving] on one port (default 9997).

then you have to address the client to send logs to the Server, you can do this following the documentation at https://docs.splunk.com/Documentation/Forwarder/8.2.3/Forwarder/Configuretheuniversalforwarder

in few words, you have to run on the client in CLI 

./splunk add forward-server <host name or ip address>:<listening port>

In this way you create a file $SPLUNK_HOME/etc/system/local/outputs.conf that contains the address of the server to send logs.

In the same location, you'll have the file deploymentclient.conf, containing the address of the Deployment Server, in your test case, the same.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @israbenbr,

ok, good fro you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

israbenbr
Explorer

Hi again,

Thank you very much, the problem was that the ports were not opened

thank you ! 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...