All Apps and Add-ons

Splunk Add-on for Unix and Linux: Is there a way to auto deploy this add-on to all my forwarders?

Explorer

On the Splunk Light server (indexer + UI , configured to be Distributer) i did the following:
I installed the Splunk Add-on for Unix and Linux (Splunk_TA_nix) according to instructions.
I set up the class so all my servers are included for this app.
Configured which scripts it should run (external data input scripts)
I restarted several times.

Each server I want to monitor has an Universal Forwarder installed.
Now, only 2 out of the total 5 forwarders return "Splunk_TA_nix app" metrics.
They are all identical in OS, Firewalling, Forwarder installation procedure.
Is there a way to make this work, without changing each forwarder individually? Because if it were like 500 instead of 5 forwarders, i would have a problem.

Thanks in advance.

0 Karma
1 Solution

Explorer

So i logged in to each server and added the forwarder address again (just to be sure) and restarted splunk.
Nothing changed.
But the local logs pointed out that deployment command of the Splunk_TA_nix app was sent from the deployment server.
So then i turned on all the scripts (Splunk indexer > GUI > data inputs > external scripts > enabled a lot of them).
So i see that the cpu script does not return data from all servers, but the uptime script does.
I am still looking into the environment differences that can explain this different behaviour.

View solution in original post

0 Karma

Explorer

Can you clarify how you "set up the class so all [your] servers are included for this app"? When I try to edit apps for my server classes, I don't see this add-on available. And when I go to "Set Up" for the add-on, it just points me to the documentation.

I'd prefer to not have to manually install it on every forwarder but rather have them deployed centrally. Thanks!

0 Karma

Explorer

So i logged in to each server and added the forwarder address again (just to be sure) and restarted splunk.
Nothing changed.
But the local logs pointed out that deployment command of the Splunk_TA_nix app was sent from the deployment server.
So then i turned on all the scripts (Splunk indexer > GUI > data inputs > external scripts > enabled a lot of them).
So i see that the cpu script does not return data from all servers, but the uptime script does.
I am still looking into the environment differences that can explain this different behaviour.

View solution in original post

0 Karma

Explorer

So then i installed the sysstat package on those (forward) servers with: yum install sysstat
Fixed it!
(To understand why one server already had this package installed, well.. maybe i once needed it and forgot about it).

Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!