I have numerous Ubuntu servers forwarding syslog information to SPLUNK. It is all be logged and can be searched from the main search page in the SPLUNK interface. They do show up as hosts with their proper host names. My problem is that the "*NIX" app does not see them as Linux hosts. The only Linux server that is listed in the *NIX Hosts field is the Splunk server itself. Help?
Do you have the *nix app deployed to these Ubuntu hosts, or are you just sending data over syslog? I could be wrong, but I think it's looking at data provided by scripts to determine they are Linux hosts.
Mike is correct. Use the forwarder on the Unix system with the app installed on that forwarder under $SPLUNK_HOME/etc/apps. This app if you download it contains many scripts that run and forward the data via the forwarder to the Splunk indexer. To see the scripts, look in the bin directory in the App or look at the inputs.conf in the default directory to see how they are being called.
Not sure if I understand. I have the "splunkforwarder-4.2-96430-Linux-x86_64.tgz" that I can deploy on each of the linux hosts that I am logging. Is this what you are referring to as "app"? I have the "*NIX" app already running on the SPLUNK instance, and it works to report on the SPLUNK server instance itself. Is this all that is required or is there some else that needs to go on each host?
The *nix app should be run on all hosts that run a splunk instance, whether that is the indexer/search head or forwarder.
That is assuming you want that extra data provided.