Getting Data In

Splunk 4.2 Universal Forwarder *nix app install via CLI

monkeybox
Engager

I am running a Linux box as an indexer and have multiple servers feeding data back to the index. The issue I am having is a simple one but I cannot find a very straight forward answer. Forgive me if this question has been answered but I have only been successful in finding variations of the question. I have 4 unix boxes that I have the new universal forwarders set up on. The initial set up went smoothly and the data is being fed into the deployment manager. Since there is no browser interface I need to install the *nix app via the terminal. What is the correct syntax to accomplish this? the only data I am receiving from my forwarders is splunk information.

example: 03/18/2011 19:30:00, search_name="All indexers - regenerator", search_now=1300503600.000, info_min_time=1300501800.000, info_max_time=1300503600.000, info_search_time=1300503640.924, avg_age=0, indexQ_percentage=0, kb="2420.735356", my_splunk_server="access-root", parseQ_percentage=0, report="\"DM indexer summary index\""

I was hoping to install the *nix app in order to collect more important data such as syslogs. Without having to manually forward them. Since this is something the forwarder should do.

Any help would be appreciated.

Thanks, Miguel

Tags (2)
1 Solution

Genti
Splunk Employee
Splunk Employee

Miguel,

There is currently a bug with installing Splunk 4.2 UF via the CLI.

http://answers.splunk.com/questions/13073/installing-setting-up-unix-app-with-universal-forwarder/13...

However, you can still easily install the app via the configuration files. Here is a quick installation guide:

1 - Download the Unix app from splunkbase
2 - untar the package in the /splunk/etc/apps directory so that it looks like: /splunk/etc/apps/unix
3 - Copy /splunk/etc/apps/unix/default/app.conf to /splunk/etc/apps/unix/local/app.conf
4 - Edit the app.conf in the local directory to say: app=enabled
5 - Copy /splunk/etc/apps/unix/default/inputs.conf to /splunk/etc/apps/unix/local/
6 - Edit /splunk/etc/apps/unix/local/inputs.conf so that you ENABLE (set to 1) each and all inputs you would like to send to the indexer.
7 - Restart splunk

(Assuming youve already set up forwarding/receiving) This should do it...

View solution in original post

splunkdsf
New Member

After I follow these instructions, I start the application (splunk start) -- all is fine.

Then I do ==> enable the app from cd $SPLUNK_HOME/bin ./splunk enable app unix

It returns:

Your session is invalid. Please login. Splunk username: admin Password: Splunk is not running, and it must be for this operation. To start splunk, run "splunk start".

if i enter the incorrect password it lets me know... the correct password shuts it off. Any ideas? thanks.

0 Karma

hugocvg
Explorer

what command you run to enable unix app?

0 Karma

yannK
Splunk Employee
Splunk Employee

You will have to use the CLI, or modify directly the configuration files.

  1. download the unix app from splunkbase http://splunkbase.splunk.com/apps/All/4.x/App/app:Splunk+for+Unix+and+Linux, untar the file in $SPLUNK_HOME/etc/apps/
  2. restart splunk, and enable the app from cd $SPLUNK_HOME/bin ./splunk enable app unix
  3. to tune your inputs, modify the $SPLUNK_HOME/etc/apps/unix/local/inputs.conf and restart to apply.

You can check the result of your configuration with ./btool inputs list

0 Karma

Genti
Splunk Employee
Splunk Employee

Miguel,

There is currently a bug with installing Splunk 4.2 UF via the CLI.

http://answers.splunk.com/questions/13073/installing-setting-up-unix-app-with-universal-forwarder/13...

However, you can still easily install the app via the configuration files. Here is a quick installation guide:

1 - Download the Unix app from splunkbase
2 - untar the package in the /splunk/etc/apps directory so that it looks like: /splunk/etc/apps/unix
3 - Copy /splunk/etc/apps/unix/default/app.conf to /splunk/etc/apps/unix/local/app.conf
4 - Edit the app.conf in the local directory to say: app=enabled
5 - Copy /splunk/etc/apps/unix/default/inputs.conf to /splunk/etc/apps/unix/local/
6 - Edit /splunk/etc/apps/unix/local/inputs.conf so that you ENABLE (set to 1) each and all inputs you would like to send to the indexer.
7 - Restart splunk

(Assuming youve already set up forwarding/receiving) This should do it...

Genti
Splunk Employee
Splunk Employee

you should be able to see the data from both apps, as long as you specify index=os on the search app. (the unix app has that by default)

0 Karma

monkeybox
Engager

Exactly what I was looking for. Thank you. It appears to have gone smoothly. Should I be looking for data sent from forwarders under my deployment manager/search app/ or my indexers *nix app? Thanks again.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...