Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to install Splunk Universal Forwarder on a Linux server?

molinarf
Communicator
‎01-25-2021 11:54 AM

I know this was probably answered before, but I am not able to find any answers...

I am trying to install the Splunk UF on a Linux server after having to manually uninstall it because of overlapping 7.2.3 (.tgz) and 8.1.0 (.rpm) packages. I am trying to install the 8.1.0 rpm but get the error that it is already installed. When I try to uninstall it since the error says it's installed, then it says that it is already installed. I can't reboot the server because of operations, but would like to have Splunk operational and reporting to the indexer. Can anyone help with guidance on how to overcome this error?

Thank you for any assistance that can be provided.

Labels (3)
Tags (1)
0 Karma
Reply

molinarf
Communicator
‎01-28-2021 01:58 PM

I ran ps -ef and it shows splunk started. There is nothing that showed it stopped.

Okay, I look at the splunkd and metric logs, but what do I look for? All signs point that it is working, but nothing is reaching the indexer. The last time this server had even communicated was 1/6/21, but there was no metrics being sent. So that is what started me on chasing this rabbit, down the hole and found the two splunk installs...

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-28-2021 10:54 AM
What you are seeing on UF’s splunkd.log and metrics.log?
0 Karma
Reply

molinarf
Communicator
‎01-28-2021 11:11 AM

splunkd.log shows that everything seems to be working fine. In the metrics log, it seems that there is nothing collected and sent, but not really sure about it. I did find that there is this line that makes it seem that it is trying to communicate with the indexer and DS.

INFO StatusMgr - destHost=<ip>, destIp=<ip>, destPort=9997, eventType=connect_try,  publisher=Tcpout, sourcePort=8089, statusee=TCPOutputProcessor

INFO StatusMgr - destHost=<ip>, destIp=<ip>, destPort=9997, eventType=connect_fail,  publisher=Tcpout, sourcePort=8089, statusee=TCPOutputProcessor

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-28-2021 12:16 PM
It tried and fail. Usually the reason can found front splunkd.log on UF and/or Indexer.
Also curl or tcpdump from cmd line can used to check why it fails.
0 Karma
Reply

molinarf
Communicator
‎01-28-2021 12:37 PM

I ran the tcpdump command and the communication showed was between a virtual server on this Linux server and the indexer. The Linux server itself doesn't show up.

At this point, I am thinking of uninstalling the UF completely and reinstall after this server is upgraded which is supposed to be this year.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-25-2021 11:40 PM

Hi @molinarf,

try tar!

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...