Splunk Cloud Platform

Is there a way to monitor Linux server with Splunk but without any use of apps or plugins from Splunk base?

GustavMahler
Explorer

I am new to Splunk and did some fundamental courses to understand the platform. I have this question and would like to know if this is possible. I want to monitor Linux server (CPU usage, Disk usage, Ram usage and network metrics) with Splunk. I know there are lot of apps available on Splunkbase. But I want to know if there is a way to just use Splunk without need of any other apps from Splunkbase to accomplish this objective? 

0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

Absolutely!

You do know that apps on Splunkbase really are just a set of configurations, right?  You can write your own configurations - extractions, parsing, data collection inputs, etc... - to do all this yourself.

I heartily recommend against it though.  There are a LOT of gotchas and the details are fiddly and there's a lot of room for making it brittle or just plain wrong at times.  So there's a reason that those apps exist - to compile together some of the best, most tested ways to do it.

But for one-off or simple cases, sure.  Write a modular input that collects the output of the *nix "ps" command, and write a sourcetype for it to parse it correctly.  Or write a shell script that you run on a cron that massages the output of "ps" into something easier to work with (kv pairs comes to mind) and then dump it to a file that you use a batch/sinkhole input on to grab. 

Or, just install the app from Splunkbase and cut out 98.7% of the hard work by using someone else's tested configurations, inputs and whatnot for this job.

If I may ask - why do you want to avoid Splunkbase apps?

 

View solution in original post

Richfez
SplunkTrust
SplunkTrust

Absolutely!

You do know that apps on Splunkbase really are just a set of configurations, right?  You can write your own configurations - extractions, parsing, data collection inputs, etc... - to do all this yourself.

I heartily recommend against it though.  There are a LOT of gotchas and the details are fiddly and there's a lot of room for making it brittle or just plain wrong at times.  So there's a reason that those apps exist - to compile together some of the best, most tested ways to do it.

But for one-off or simple cases, sure.  Write a modular input that collects the output of the *nix "ps" command, and write a sourcetype for it to parse it correctly.  Or write a shell script that you run on a cron that massages the output of "ps" into something easier to work with (kv pairs comes to mind) and then dump it to a file that you use a batch/sinkhole input on to grab. 

Or, just install the app from Splunkbase and cut out 98.7% of the hard work by using someone else's tested configurations, inputs and whatnot for this job.

If I may ask - why do you want to avoid Splunkbase apps?

 

GustavMahler
Explorer

Thanks for the answer.  I am just curious if there is a way to monitor a Linux server through Splunk without apps or add-on from Splunkbase. 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...