Hi,
This procedure should get you up and running:
On the Windows instance, set up the instance to receive data from forwarders. You can use Splunk Web or the Splunk CLI. An example CLI follows:
cd C:\Program Files\Splunk
.\splunk enable listen 9997 -auth admin:changeme
.\splunk restart
Download the Splunk App for Unix and Linux onto the Windows host.
Install the Splunk App for Unix and Linux.
cd C:\Program Files\Splunk
.\splunk install app C:\Path\To\Splunk-App-for-Nix.tgz
Install the Splunk Add-on for Unix and Linux onto the Windows instance.
cd C:\Program Files\Splunk
xcopy C:\Program Files\Splunk\etc\apps\splunk-app-for-nix\install\Splunk_TA_Nix C:\Program Files\Splunk\etc\apps /s /e /v
On the Unix host, download the Splunk universal forwarder (not indexer) for the version of Unix that the host runs.
After downloading, unarchive the forwarder to the installation directory.
cd /opt
tar xvzf /path/to/splunk.tgz
Change to the universal forwarder installation directory and configure it to send data to the Windows indexer:
cd /opt/splunk
./splunk start
[Accept the license agreement and wait for initial setup to complete]
./splunk add forward-server <host name of Windows indexer:9997>
Download the Splunk Add-on for Unix and Linux onto the Unix host with the universal forwarder.
Install the Splunk Add-on for Unix and Linux.
cd /opt/splunk
./splunk install app /path/to/splunk-add-on-for-unix-and-linux.tgz
./splunk restart
Configure the Splunk Add-on for Unix and Linux.
export SPLUNK_HOME=/opt/splunk
cd $SPLUNK_HOME/etc/apps/Splunk_TA_nix
. ./setup.sh
Enter the Splunk username and password when prompted.
Follow the prompts to enable or disable *nix inputs within the setup.sh program. For example, if you wanted to enable all of the Unix inputs, you would enter 2, then 2 again, then 1, then press Enter to return to the main menu, then enter 0 to exit the setup program.
At this point the universal forwarder should begin sending data to your Windows indexer. You might need to restart the Unix forwarder for all the changes to take effect.
Look on your Windows indexer for Unix data. You can confirm that data is arriving by invoking this search from within Splunk Web.
index=os host=<name of unix host>
If you don't see data, then make sure that:
* You installed the Splunk Add-on for Unix and Linux onto the Windows host.
* You configured the Splunk Add-on for Unix and Linux on the Unix host to enable the add-on inputs.
* There is not a network connectivity problem between the Unix host and the Windows host.
Load the Splunk App for Unix and Linux. You should see the Unix data appear there.
... View more