Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk 4.2 Universal Forwarder *nix app install via CLI

monkeybox
Engager
‎03-28-2011 10:42 PM

I am running a Linux box as an indexer and have multiple servers feeding data back to the index. The issue I am having is a simple one but I cannot find a very straight forward answer. Forgive me if this question has been answered but I have only been successful in finding variations of the question. I have 4 unix boxes that I have the new universal forwarders set up on. The initial set up went smoothly and the data is being fed into the deployment manager. Since there is no browser interface I need to install the *nix app via the terminal. What is the correct syntax to accomplish this? the only data I am receiving from my forwarders is splunk information.

example: 03/18/2011 19:30:00, search_name="All indexers - regenerator", search_now=1300503600.000, info_min_time=1300501800.000, info_max_time=1300503600.000, info_search_time=1300503640.924, avg_age=0, indexQ_percentage=0, kb="2420.735356", my_splunk_server="access-root", parseQ_percentage=0, report="\"DM indexer summary index\""

I was hoping to install the *nix app in order to collect more important data such as syslogs. Without having to manually forward them. Since this is something the forwarder should do.

Any help would be appreciated.

Thanks, Miguel

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎03-29-2011 12:28 AM

Miguel,

There is currently a bug with installing Splunk 4.2 UF via the CLI.

http://answers.splunk.com/questions/13073/installing-setting-up-unix-app-with-universal-forwarder/13...

However, you can still easily install the app via the configuration files. Here is a quick installation guide: 

1 - Download the Unix app from splunkbase
2 - untar the package in the /splunk/etc/apps directory so that it looks like: /splunk/etc/apps/unix
3 - Copy /splunk/etc/apps/unix/default/app.conf to /splunk/etc/apps/unix/local/app.conf
4 - Edit the app.conf in the local directory to say: app=enabled
5 - Copy /splunk/etc/apps/unix/default/inputs.conf to /splunk/etc/apps/unix/local/
6 - Edit /splunk/etc/apps/unix/local/inputs.conf so that you ENABLE (set to 1) each and all inputs you would like to send to the indexer.
7 - Restart splunk

(Assuming youve already set up forwarding/receiving) This should do it...

View solution in original post

Reply
Solved! Jump to solution

splunkdsf
New Member
‎04-02-2011 07:55 AM

After I follow these instructions, I start the application (splunk start) -- all is fine.

Then I do ==> enable the app from cd $SPLUNK_HOME/bin ./splunk enable app unix

It returns:

Your session is invalid. Please login. Splunk username: admin Password: Splunk is not running, and it must be for this operation. To start splunk, run "splunk start".

if i enter the incorrect password it lets me know... the correct password shuts it off. Any ideas? thanks.

0 Karma
Reply
Solved! Jump to solution

hugocvg
Explorer
‎03-20-2013 02:59 PM

what command you run to enable unix app?

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎03-29-2011 12:33 AM

You will have to use the CLI, or modify directly the configuration files.

  1. download the unix app from splunkbase http://splunkbase.splunk.com/apps/All/4.x/App/app:Splunk+for+Unix+and+Linux, untar the file in $SPLUNK_HOME/etc/apps/
  2. restart splunk, and enable the app from cd $SPLUNK_HOME/bin ./splunk enable app unix
  3. to tune your inputs, modify the $SPLUNK_HOME/etc/apps/unix/local/inputs.conf and restart to apply.

You can check the result of your configuration with ./btool inputs list

0 Karma
Reply
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎03-29-2011 12:28 AM

Miguel,

There is currently a bug with installing Splunk 4.2 UF via the CLI.

http://answers.splunk.com/questions/13073/installing-setting-up-unix-app-with-universal-forwarder/13...

However, you can still easily install the app via the configuration files. Here is a quick installation guide: 

1 - Download the Unix app from splunkbase
2 - untar the package in the /splunk/etc/apps directory so that it looks like: /splunk/etc/apps/unix
3 - Copy /splunk/etc/apps/unix/default/app.conf to /splunk/etc/apps/unix/local/app.conf
4 - Edit the app.conf in the local directory to say: app=enabled
5 - Copy /splunk/etc/apps/unix/default/inputs.conf to /splunk/etc/apps/unix/local/
6 - Edit /splunk/etc/apps/unix/local/inputs.conf so that you ENABLE (set to 1) each and all inputs you would like to send to the indexer.
7 - Restart splunk

(Assuming youve already set up forwarding/receiving) This should do it...

Reply
Solved! Jump to solution

Genti
Splunk Employee
Splunk Employee
‎03-29-2011 07:23 PM

you should be able to see the data from both apps, as long as you specify index=os on the search app. (the unix app has that by default)

0 Karma
Reply
Solved! Jump to solution

monkeybox
Engager
‎03-29-2011 05:32 PM

Exactly what I was looking for. Thank you. It appears to have gone smoothly. Should I be looking for data sent from forwarders under my deployment manager/search app/ or my indexers *nix app? Thanks again.

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...