I am running a Splunk at a solaris server.
I have deployed 4 universal forwarders, 3 at solaris machines and 1 at a windows virtual machine.
Splunk server and all the forwarding machines are under the same VLAN and no firewall is involved between there communication.
All my forwarders are being listed in the Deployment Monitor, however my NIX app is not listing these servers under the host list in CPU by host or Memory by host menu item.
I have installed the fieldextractor app of splunk and its showing all my hosts and all the data transfered.
I want these servers to be listed there under host list of NIX so i can have statistical graphs of these servers in NIX. Currently i am having only one entry in host list, i.e. "host" and is showing the statistics of Splunk server itself.
Please suggest me what should i do to list down my forwarded servers in the host list of Nix app.
Just seen this post as unanswered till yet which indicates that the problem is still unresolved. so I am answering your problem as below.
First of all forwarding from windows OS to nix application is not supported. Nix app can handle data forwarded only from OS based on Unix [i.e. linux, solaris etc]
Copy and paste the NIX app in
SplunkHome/etc/apps/ where SplunkHome is the directory where your forwarder is installed.
Change your directory to SplunkHome/bin and register your forwarder using following commands
./splunk start ./splunk add forward-server <SplunkServerIP>:<Receiving Port> ./splunk restart
[In case of any username/password prompt during execution of above mentioned commands, please use admin/changeme as username/password]
Set the data to be forwarded in
SplunkHome/etc/apps/unix/bin/local/inputs.conf. For sample I am sending you a full configuration file which will send all the parameters after every second to your splunk server. Just copy the below mentioned data and paste it in ur inputs.conf file at
[To change data posting interval by forwarder to splunk server change the interval value below and to disable some specific information set disabled = 1]
[script://./bin/cpu.sh] interval=1 sourcetype=cpu index=os disabled=0 [script://./bin/df.sh] interval=1 sourcetype=df index=os disabled=0 [script://./bin/hardware.sh] interval=1 sourcetype=hardware index=os disabled=0 [script://./bin/interfaces.sh] interval=1 sourcetype=interfaces index=os disabled=0 [script://./bin/iostat.sh] interval=1 sourcetype=iostat index=os disabled=0 [script://./bin/lastlog.sh] interval=1 sourcetype=lastlog index=os disabled=0 [script://./bin/lsof.sh] interval=1 sourcetype=lsof index=os disabled=0 [script://./bin/netstat.sh] interval=1 sourcetype=netstat index=os disabled=0 [script://./bin/openPorts.sh] interval=1 sourcetype=openPorts index=os disabled=0 [script://./bin/package.sh] interval=1 sourcetype=package index=os disabled=0 [script://./bin/protocol.sh] interval=1 sourcetype=protocol index=os disabled=0 [script://./bin/ps.sh] interval=1 sourcetype=ps index=os disabled=0 [script://./bin/rlog.sh] interval=1 sourcetype=rlog index=os disabled=0 [script://./bin/time.sh] interval=1 sourcetype=time index=os disabled=0 [script://./bin/top.sh] interval=1 sourcetype=top index=os disabled=0 [script://./bin/usersWithLoginPrivs.sh] interval=1 sourcetype=userswithLoginPrivs index=os disabled=0 [script://./bin/vmstat.sh] interval=1 sourcetype=vmstat index=os disabled=0 [script://./bin/who.sh] interval=300 sourcetype=who index=os disabled=0
To forward your windows data you need to install Splunk windows application in your splunk server [same as u installed NIX app] and do the above mentioned activity as per windows OS format.
For further details please refer to http://splunk-base.splunk.com/answers/50082/how-do-i-configure-a-splunk-forwarder-on-linux
I have the same problem as above mentioned.i can view all my remote host data through splunk search but when it comes to *NIX app it only shows the local host.i will be glad if someone can help on this.