Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to monitor Linux server with Splunk but without any use of apps or plugins from Splunk base?

GustavMahler
Explorer
‎09-29-2021 07:30 AM

I am new to Splunk and did some fundamental courses to understand the platform. I have this question and would like to know if this is possible. I want to monitor Linux server (CPU usage, Disk usage, Ram usage and network metrics) with Splunk. I know there are lot of apps available on Splunkbase. But I want to know if there is a way to just use Splunk without need of any other apps from Splunkbase to accomplish this objective? 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎09-29-2021 07:53 AM

Absolutely!

You do know that apps on Splunkbase really are just a set of configurations, right?  You can write your own configurations - extractions, parsing, data collection inputs, etc... - to do all this yourself.

I heartily recommend against it though.  There are a LOT of gotchas and the details are fiddly and there's a lot of room for making it brittle or just plain wrong at times.  So there's a reason that those apps exist - to compile together some of the best, most tested ways to do it.

But for one-off or simple cases, sure.  Write a modular input that collects the output of the *nix "ps" command, and write a sourcetype for it to parse it correctly.  Or write a shell script that you run on a cron that massages the output of "ps" into something easier to work with (kv pairs comes to mind) and then dump it to a file that you use a batch/sinkhole input on to grab. 

Or, just install the app from Splunkbase and cut out 98.7% of the hard work by using someone else's tested configurations, inputs and whatnot for this job.

If I may ask - why do you want to avoid Splunkbase apps?

 

View solution in original post

Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎09-29-2021 07:53 AM

Absolutely!

You do know that apps on Splunkbase really are just a set of configurations, right?  You can write your own configurations - extractions, parsing, data collection inputs, etc... - to do all this yourself.

I heartily recommend against it though.  There are a LOT of gotchas and the details are fiddly and there's a lot of room for making it brittle or just plain wrong at times.  So there's a reason that those apps exist - to compile together some of the best, most tested ways to do it.

But for one-off or simple cases, sure.  Write a modular input that collects the output of the *nix "ps" command, and write a sourcetype for it to parse it correctly.  Or write a shell script that you run on a cron that massages the output of "ps" into something easier to work with (kv pairs comes to mind) and then dump it to a file that you use a batch/sinkhole input on to grab. 

Or, just install the app from Splunkbase and cut out 98.7% of the hard work by using someone else's tested configurations, inputs and whatnot for this job.

If I may ask - why do you want to avoid Splunkbase apps?

 

Reply
Solved! Jump to solution

GustavMahler
Explorer
‎09-29-2021 08:54 AM

Thanks for the answer.  I am just curious if there is a way to monitor a Linux server through Splunk without apps or add-on from Splunkbase. 

0 Karma
Reply
Get Updates on the Splunk Community!

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...
Top