Looking for a good guide to deploying the *Nix app to all of my Universal Forwarders. Have around 50 forwarders set up, but would like to start collecting *Nix performance & process info on each and forward back to my indexers. Looking for some clear direction on how to do this. Do I just copy the *Nix App folder out to all of them? How does this work?
On the deployment server you will need to add a server class for all of your unix based servers in the serverclass.conf file. You can white list in the stanza you create based on machine type to match all of your unix based machines and assign the unix application to that serverclass to push the app out to the proper hosts.
I would recommend setting up a Splunk Deployment Server (typically done on search head) to push out a single *Nix app, or modified versions of the *Nix app if you want to collect different metrics from different systems.
This single point of management for pushing applications to your forwarders will make it extremely easy to configure data inputs.
See also: About Deployment Server
That's exactly what I'm looking to do. Documentation is sparse, though, on how to push out an App. Do I just copy the entire ./etc/apps/unix dir into ./etc/deployment-apps/unix? Does it all need to go into some new index - like servers-os or similar? I'm running 4.2 with universal forwarders deployed as deployment clients.