Splunk v4.3.2
*NIX 4.5
About the Splunk Technology Add-on (TA) for Unix and Linux
Complete newb with Splunk.
Overview
Running demo of Splunk on Linux CentOS 6.2 - 64-bit
VM Linux guest (CentOS 6.2-64bit) feeding data into Splunk using the Universal Forwarder - splunk-4.3.3-128297-linux-2.6-x86_64.rpm
Splunk indexer/receiver configured as below:
Data input type TCP > 514
Source > Accept connections from all hosts? Yes
Source Type > Manual
Source Type > syslog
This work just as expected, great!
I then tried out the Splunk Technology Add-on (TA) for Unix and Linux, as it would be nice to have performance metrics of various hosts in Splunk, and this is where I'm having problems.
I have downloaded *NIX 4.5 to Splunk and it is installed and it is available from the WebGUI under App > *NIX 4.5, and has an enabled status under Manager > Apps
I can collect and see performance data from the local host , the Splunk indexer/receiver, but not from the host I configured below.
I downloaded the Splunk Technology Add-on (TA) for Unix and Linux to VM Linux guest, taking note that it has to be installed manually, I used this guide, section "Install the TA on a universal forwarder"
http://docs.splunk.com/Documentation/UnixApp/latest/User/InstalltheSplunkTechnicalAddonforUnixandLinux - which I followed.
I also noted the comments about various typos in the howto.
I also noted that for Step 1 under section "Enable data and scripted inputs in the TA", it advises you to copy inputs.conf to a directory named "local', well on my install there is no directory named "local"
Quote:
"1. Make a copy of $SPLUNK_HOME/etc/apps/Splunk_TA_nix/default/inputs.conf and place it into $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local. "
So I had to create the directory and then assign splunk as owner and group perms, not sure this is a documentation error or a sign of trouble.
I then followed the rest of the guide, setting all of the disabled attributes to 0, thus enabling all the monitors, and restarted Splunk, it restarted without errors.
I got back to my Splunk receiver/indexer, using the Splunk WebGUI I select App > *NIX 4.5, expecting see my host added to it, but it is not, it still has only the local host.
What have I missed?
... View more