Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

enabling *nix with universal forwarder stops forwarding logs from /etc/system/local/inputs.conf

agent462
New Member
‎05-04-2011 02:14 PM

I'm trying to get the *nix app going using the universal forwarder. I can forward logs fine from /etc/system/local/inputs.conf until I enable the *nix app. Once I enable the app it does forward *nix /etc/apps/unix/local/inputs.conf logs but not my system defined logs.

When *nix is enabled the splunkd.log just stays on INFO TcpOutputProc - Connected to idx=:9997
When it's disabled it updates fine and shows processing of the log files.

I've tried the configuration from my main splunk receiver server that is also using *nix and the default one from the unix/defaults/. Both cause the same action.

0 Karma
Reply

agent462
New Member
‎05-04-2011 05:01 PM

I do have an OS index defined exactly like you described. I should have clarified a little better. My indexer is also my search head all in one box. From the portal I installed the *nix app and it's collecting data for that host.

I'm trying to get one host configured with the forwarder so I can deploy it to the rest of my hosts.

The machine I'm trying to get the Universal Forwarder on will also forward the *nix inputs but only those. Once I disabled the *nix app my inputs defined in my etc/system/local/inputs.conf will start flowing again. It's acting like it's one or the other.

0 Karma
Reply

hazekamp
Builder
‎05-04-2011 03:31 PM

Most inputs in the *nix app are configured to go to the "os" index. If you do not have this indexed defined on your indexer then the data will not be indexed. The easiest way to configure the os index would be to add the following configuration to your $SPLUNK_HOME/etc/system/local/indexes.conf:

## indexes.conf
[os]
homePath = $SPLUNK_DB/os/db
coldPath = $SPLUNK_DB/os/colddb
thawedPath = $SPLUNK_DB/os/thaweddb

Installing the *nix app on your indexer will also provide this index, however it will enable certain things you wouldn't want enabled on a pure indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...