Installation

How to set up "Splunk Add-on for Unix and Linux" on SH for ingested data from UF

ojay
Path Finder

Hi all,

I am really new to this so please bear with me.

I have a Indexer cluster , SH and a DS and one server where the UF is sending data to the indexers.

It is recommended to install the  "Splunk Add-on for Unix and Linux" on on the SH right?

Now how do I configure it there. I  chose the File and directory input but I only get error messages for the scripted metrics and events inputs. and I can not pick the Index.

"Search produced no results." is the error message in the UI.

I'm confused.

Can someone please help me with this?

Thank you so much,

Oj.

Labels (1)
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ojay 

For ingested data, it is just required to install Add-on on SH , it is not required to configure on SH. The purpose of installing on SH is for search time extractions of ingested data. 

 

Screenshot 2021-05-15 at 6.39.07 PM.png

Please go through this link for more info.

https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Install

 

Thanks
KV
▄︻̷̿┻̿═━一

If this reply helps you, an upvote would be appreciated.

0 Karma

ojay
Path Finder

Thanks for the quick response!

So it is required on the indexers. I will install it indexer cluster using the master node.

But then what? Do I need to install it on the UF? I dont find the "comments" useful in the UF section.

And also from where do I configure it then? most probably not from the index cluster right?

Best,

O.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@ojay 

The Splunk Add-on for Unix and Linux allows a Splunk software administrator to collect *nix data from *nix hosts. Install the Splunk Add-on for Unix and Linux on a forwarder to send data from any number of *nix hosts to a Splunk Enterprise indexer or group of indexers.

Here,

hosts are the machine from where you want to collect data.

forwarder can be UF or HFs, which will be installed on hosts (the machine from where you want to collect data)   as per your requirement which will send data to group of indexer(s) Or indexer Cluster.  Here you need to install Splunk Add-on for Unix and Linux addon and need to configure (enable) for data collection. 

Indexer you need to install Splunk Add-on for Unix and Linux on indexer also for event parsing and ingest. 

SH you need to install Splunk Add-on for Unix and Linux on SH also for Search time extractions.

 

https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/About

 

Your Answers:

You can find the comments column in link. looks like below image.

Screenshot 2021-05-16 at 7.23.54 PM.png

For configuration, please check this. You will find your most of the answers.

https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Enabledataandscriptedinputs

Where to Install addon. 

https://docs.splunk.com/Documentation/AddOns/released/Overview/Wheretoinstall

 

I hope you will get your solution, you can ask in case.

 

Thanks
KV
▄︻̷̿┻̿═━一

If this reply helps you, an upvote would be appreciated.

 

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...