Archive

(unfortunately) My Splunk server is on Windows.. but I need to monitor linux servers

rileyken
Explorer

I have single windows server running Splunk enterprise, and I have a Linux server with the universal forwarder installed and sending logs... that is working, now I need to add the nix-add-on so I can get stats on the Linux box, so I put the add-on in the /etc/apps folder in the universal forwarder and restarted... so forwarder should be running the add-on.

How do I configure the add on to send the data back to the (windows) Splunk server?

if I run the add on in the Splunk portal, it complains there is no Linux to run..

help!

Tags (1)
0 Karma

jacobpevans
Motivator

Greetings @rileyken,

I agree with @martynoconnor. Since you're still having issues, can you also confirm the following?

The Splunk Technology Add-on for Unix and Linux works with the Splunk App for Unix and Linux to provide rapid insights and operational visibility into large-scale Unix and Linux environments.
https://splunkbase.splunk.com/app/833/

The Splunk App for Unix and Linux can be deployed in a number of ways. The most common way is to deploy a "central" Splunk instance that has indexers and search heads, contains the main Splunk App for Unix and Linux index, and runs Splunk Web.
https://docs.splunk.com/Documentation/UnixApp/latest/User/WhataSplunkAppforUnixandLinuxdeploymentloo...

Can you verify that the add-on is installed on the Linux universal forwarder and that the app is installed on all: search heads, indexers, and heavy forwarders? My guess is that you have the forwarder set up mostly correctly, but you have the add-on installed on your Splunk instance instead of the app.

Cheers,
Jacob

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

martynoconnor
Communicator

So long as the Universal Forwarder on the Linux server is configured in outputs.conf to send its data to the Windows server, then adding the TA for Linux to it will mean that the Linux server will send its data too. You'll need to enable inputs on the TA on the Linux server. To do this, go to the default folder in the Linux TA, and copy inputs.conf to the local folder (if local doesn't exist, then create it). In local/inputs.conf delete all stanzas except those you'd like to enable, and then change the entry for that stanza to enable it. Off the top of my head I can't remember if it's disabled = true or enabled=false, but it should be quite clear.

You should also install the TA for Linux on your Windows server, but leave all inputs disabled as they don't apply to Windows machines.

0 Karma

rileyken
Explorer

I copied the inputs.conf to the newly created /local directory under Splunk_TA_nix/

my inputs.conf file had disabled = 1 at the end of each stanza, I decided that meant disabled =true and changed them all to disabled =0 and restarted.

then I wend to the portal/indexer (windows) went into the addon window, and made sure they were all set to disable, and then hit save. This brought up the error message about this not being a Linux server, and it would not go away so I am wondering how to use the addon on the portal to view the metrics configured on the Linux box with the universal forwarder?

0 Karma

rileyken
Explorer

Does anyone know how to view the results in the portal? (I am stuck at the configuration screen)

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!