Solved: Splunk Universal Forwarder Install Question

OldManEd · ‎10-12-2015

I have a new instance of Splunk 6.3 that I am installing and the search head & indexers are Linux OS. The forwarders are Windows. While going through the Forwarder install process I saw the following;

If you enable data inputs when installing the universal forwarder, the installer saves the configuration that enables those inputs into the Splunk Add-on for Windows that comes with the installer.

This configuration includes index definitions. This means that the indexer that this forwarder sends data to must already have those indexes defined. The indexes are:

    perfmon for Performance Monitoring inputs.
    windows for generic Windows inputs.
    wineventlog for Windows Event Log inputs.

If you have not defined those indexes, do so prior to performing a universal forwarder installation. A Splunk best practice is to install the Splunk Add-on for Windows onto indexers that receive forwarded data.

So I am fine with the forwarder install but am confused with the installation on the "Splunk Add-On for Windows" on the Linux servers.

I looked for a "Splunk for Windows" app to install on the indexers, but did not see anything. Is there a "Splunk for Windows" app"? Do I install the "Splunk Add-on for Windows" app on Linux?

The documentation is not very clear.

malmoore · ‎10-12-2015

Hi,

Here's what that means:

If you define inputs by clicking on entries in the "Enable inputs" dialog box during the installation, that the installer creates configurations that reference indexes for those inputs.
This means that, when the forwarder sends data to the indexer for those inputs, it expects that the indexer already has those indexes defined.
By default, indexers do not have those indexes defined.
To fix that problem, you need the Splunk Add-on for Windows, which you can download here.
You can install the app through Splunk Web on the indexer that will receive the forwarded data. No additional configuration is needed.

I hope this helps clear up things. I will update the doc text to make it easier to understand.

Thanks.

View solution in original post

malmoore · ‎10-12-2015

Hi,

Here's what that means:

If you define inputs by clicking on entries in the "Enable inputs" dialog box during the installation, that the installer creates configurations that reference indexes for those inputs.
This means that, when the forwarder sends data to the indexer for those inputs, it expects that the indexer already has those indexes defined.
By default, indexers do not have those indexes defined.
To fix that problem, you need the Splunk Add-on for Windows, which you can download here.
You can install the app through Splunk Web on the indexer that will receive the forwarded data. No additional configuration is needed.

I hope this helps clear up things. I will update the doc text to make it easier to understand.

Thanks.

OldManEd · ‎10-12-2015

Malmoore,
Thanks for the reply. And just to clarify, I saw your entry in the documentation, but that's what confused me. I was not sure if there was a special tar file specifically for Linux servers. I ended up simply copying the "splunk-add-on-for-microsoft-windows_480.tar.gzip" file onto my deployment server, ran an untar and then loaded that onto my Linux indexers & search head servers. That seemed to work fine. The indexes were created and there were no errors.
~Ed

malmoore · ‎10-12-2015

Nope, nothing different for Linux hosts. The Splunk Add-on for Windows's sole purpose on Linux Splunk instances is to define those indexes.

OldManEd · ‎10-12-2015

Well yea.., I know that NOOooOOowww... 😉
Seriously, thanks again for pointing me in the right direction.
~Ed

Splunk Universal Forwarder Install Question

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?