I have single windows server running Splunk enterprise, and I have a Linux server with the universal forwarder installed and sending logs... that is working, now I need to add the nix-add-on so I can get stats on the Linux box, so I put the add-on in the /etc/apps folder in the universal forwarder and restarted... so forwarder should be running the add-on.
How do I configure the add on to send the data back to the (windows) Splunk server?
if I run the add on in the Splunk portal, it complains there is no Linux to run..
I agree with @martynoconnor. Since you're still having issues, can you also confirm the following?
The Splunk Technology Add-on for Unix and Linux works with the Splunk App for Unix and Linux to provide rapid insights and operational visibility into large-scale Unix and Linux environments. https://splunkbase.splunk.com/app/833/
Can you verify that the add-on is installed on the Linux universal forwarder and that the app is installed on all: search heads, indexers, and heavy forwarders? My guess is that you have the forwarder set up mostly correctly, but you have the add-on installed on your Splunk instance instead of the app.
If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
So long as the Universal Forwarder on the Linux server is configured in outputs.conf to send its data to the Windows server, then adding the TA for Linux to it will mean that the Linux server will send its data too. You'll need to enable inputs on the TA on the Linux server. To do this, go to the default folder in the Linux TA, and copy inputs.conf to the local folder (if local doesn't exist, then create it). In local/inputs.conf delete all stanzas except those you'd like to enable, and then change the entry for that stanza to enable it. Off the top of my head I can't remember if it's disabled = true or enabled=false, but it should be quite clear.
You should also install the TA for Linux on your Windows server, but leave all inputs disabled as they don't apply to Windows machines.
I copied the inputs.conf to the newly created /local directory under Splunk_TA_nix/
my inputs.conf file had disabled = 1 at the end of each stanza, I decided that meant disabled =true and changed them all to disabled =0 and restarted.
then I wend to the portal/indexer (windows) went into the addon window, and made sure they were all set to disable, and then hit save. This brought up the error message about this not being a Linux server, and it would not go away so I am wondering how to use the addon on the portal to view the metrics configured on the Linux box with the universal forwarder?