I am new to Splunk and did some fundamental courses to understand the platform. I have this question and would like to know if this is possible. I want to monitor Linux server (CPU usage, Disk usage, Ram usage and network metrics) with Splunk. I know there are lot of apps available on Splunkbase. But I want to know if there is a way to just use Splunk without need of any other apps from Splunkbase to accomplish this objective?
Absolutely!
You do know that apps on Splunkbase really are just a set of configurations, right? You can write your own configurations - extractions, parsing, data collection inputs, etc... - to do all this yourself.
I heartily recommend against it though. There are a LOT of gotchas and the details are fiddly and there's a lot of room for making it brittle or just plain wrong at times. So there's a reason that those apps exist - to compile together some of the best, most tested ways to do it.
But for one-off or simple cases, sure. Write a modular input that collects the output of the *nix "ps" command, and write a sourcetype for it to parse it correctly. Or write a shell script that you run on a cron that massages the output of "ps" into something easier to work with (kv pairs comes to mind) and then dump it to a file that you use a batch/sinkhole input on to grab.
Or, just install the app from Splunkbase and cut out 98.7% of the hard work by using someone else's tested configurations, inputs and whatnot for this job.
If I may ask - why do you want to avoid Splunkbase apps?
Absolutely!
You do know that apps on Splunkbase really are just a set of configurations, right? You can write your own configurations - extractions, parsing, data collection inputs, etc... - to do all this yourself.
I heartily recommend against it though. There are a LOT of gotchas and the details are fiddly and there's a lot of room for making it brittle or just plain wrong at times. So there's a reason that those apps exist - to compile together some of the best, most tested ways to do it.
But for one-off or simple cases, sure. Write a modular input that collects the output of the *nix "ps" command, and write a sourcetype for it to parse it correctly. Or write a shell script that you run on a cron that massages the output of "ps" into something easier to work with (kv pairs comes to mind) and then dump it to a file that you use a batch/sinkhole input on to grab.
Or, just install the app from Splunkbase and cut out 98.7% of the hard work by using someone else's tested configurations, inputs and whatnot for this job.
If I may ask - why do you want to avoid Splunkbase apps?
Thanks for the answer. I am just curious if there is a way to monitor a Linux server through Splunk without apps or add-on from Splunkbase.