Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk for *NIX

christopherhall
Engager
‎02-10-2011 08:08 PM

I have Splunk installed on a Windows server, and I want to collect data from certain Red Hat servers. I know I need to install Splunk as a light weight forwarder on the Red Hat systems, but do I need to install the "Splunk for UNIX and Linux" app on both the forwarder and the indexer?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-10-2011 08:17 PM

You should install the *NIX app on those RHEL servers. The reason for this is that the app provides all the scripted inputs to grab the diagnostics data you will want to track (i.e. lsof, df, top, ps, etc.) without any additional work.

My recommendation is to install Splunk on a RHEL server, install the *NIX app, configure the app, ensure the app is operating properly -- you can see the populated dashboards -- then configure forwarding/receiving. Once you confirm the data is being received by your Indexers, convert Splunk on the RHEL server to an LWF:

./splunk enable app SplunkLightForwarder

View solution in original post

Reply
Solved! Jump to solution
Solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-10-2011 08:17 PM

You should install the *NIX app on those RHEL servers. The reason for this is that the app provides all the scripted inputs to grab the diagnostics data you will want to track (i.e. lsof, df, top, ps, etc.) without any additional work.

My recommendation is to install Splunk on a RHEL server, install the *NIX app, configure the app, ensure the app is operating properly -- you can see the populated dashboards -- then configure forwarding/receiving. Once you confirm the data is being received by your Indexers, convert Splunk on the RHEL server to an LWF:

./splunk enable app SplunkLightForwarder
Reply
Solved! Jump to solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-10-2011 08:22 PM

I would install the *NIX app on the Indexer, since it will provide you the dashboards/reports that you're going to use to view the data from the forwarders.

Reply
Solved! Jump to solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-10-2011 08:22 PM

It should be noted that if you have a large number of these, you might want to look into Deployment Server to allow pushing configuration changes in bulk.

Reply
Solved! Jump to solution

Ron_Naken
Splunk Employee
Splunk Employee
‎02-10-2011 08:21 PM

This should get you going for the first RHEL server you setup, as it is the easiest method to install, configure, and diagnose any issues. You could create a reference RHEL in this manner, then install the others initially as an LWF and copy the app and configs.

0 Karma
Reply
Solved! Jump to solution

christopherhall
Engager
‎02-10-2011 08:19 PM

Would I need to install the *NIX app on the indexer?

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...