All Apps and Add-ons

Splunk Add-on for Unix and Linux: Is there a way to auto deploy this add-on to all my forwarders?

btcdirectinfra
Explorer

On the Splunk Light server (indexer + UI , configured to be Distributer) i did the following:
I installed the Splunk Add-on for Unix and Linux (Splunk_TA_nix) according to instructions.
I set up the class so all my servers are included for this app.
Configured which scripts it should run (external data input scripts)
I restarted several times.

Each server I want to monitor has an Universal Forwarder installed.
Now, only 2 out of the total 5 forwarders return "Splunk_TA_nix app" metrics.
They are all identical in OS, Firewalling, Forwarder installation procedure.
Is there a way to make this work, without changing each forwarder individually? Because if it were like 500 instead of 5 forwarders, i would have a problem.

Thanks in advance.

0 Karma
1 Solution

btcdirectinfra
Explorer

So i logged in to each server and added the forwarder address again (just to be sure) and restarted splunk.
Nothing changed.
But the local logs pointed out that deployment command of the Splunk_TA_nix app was sent from the deployment server.
So then i turned on all the scripts (Splunk indexer > GUI > data inputs > external scripts > enabled a lot of them).
So i see that the cpu script does not return data from all servers, but the uptime script does.
I am still looking into the environment differences that can explain this different behaviour.

View solution in original post

0 Karma

circleup
Explorer

Can you clarify how you "set up the class so all [your] servers are included for this app"? When I try to edit apps for my server classes, I don't see this add-on available. And when I go to "Set Up" for the add-on, it just points me to the documentation.

I'd prefer to not have to manually install it on every forwarder but rather have them deployed centrally. Thanks!

0 Karma

btcdirectinfra
Explorer

So i logged in to each server and added the forwarder address again (just to be sure) and restarted splunk.
Nothing changed.
But the local logs pointed out that deployment command of the Splunk_TA_nix app was sent from the deployment server.
So then i turned on all the scripts (Splunk indexer > GUI > data inputs > external scripts > enabled a lot of them).
So i see that the cpu script does not return data from all servers, but the uptime script does.
I am still looking into the environment differences that can explain this different behaviour.

0 Karma

btcdirectinfra
Explorer

So then i installed the sysstat package on those (forward) servers with: yum install sysstat
Fixed it!
(To understand why one server already had this package installed, well.. maybe i once needed it and forgot about it).

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...