Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

enabling *nix with universal forwarder stops forwarding logs from /etc/system/local/inputs.conf

agent462
New Member
‎05-04-2011 02:14 PM

I'm trying to get the *nix app going using the universal forwarder. I can forward logs fine from /etc/system/local/inputs.conf until I enable the *nix app. Once I enable the app it does forward *nix /etc/apps/unix/local/inputs.conf logs but not my system defined logs.

When *nix is enabled the splunkd.log just stays on INFO TcpOutputProc - Connected to idx=:9997
When it's disabled it updates fine and shows processing of the log files.

I've tried the configuration from my main splunk receiver server that is also using *nix and the default one from the unix/defaults/. Both cause the same action.

0 Karma
Reply

agent462
New Member
‎05-04-2011 05:01 PM

I do have an OS index defined exactly like you described. I should have clarified a little better. My indexer is also my search head all in one box. From the portal I installed the *nix app and it's collecting data for that host.

I'm trying to get one host configured with the forwarder so I can deploy it to the rest of my hosts.

The machine I'm trying to get the Universal Forwarder on will also forward the *nix inputs but only those. Once I disabled the *nix app my inputs defined in my etc/system/local/inputs.conf will start flowing again. It's acting like it's one or the other.

0 Karma
Reply

hazekamp
Builder
‎05-04-2011 03:31 PM

Most inputs in the *nix app are configured to go to the "os" index. If you do not have this indexed defined on your indexer then the data will not be indexed. The easiest way to configure the os index would be to add the following configuration to your $SPLUNK_HOME/etc/system/local/indexes.conf:

## indexes.conf
[os]
homePath = $SPLUNK_DB/os/db
coldPath = $SPLUNK_DB/os/colddb
thawedPath = $SPLUNK_DB/os/thaweddb

Installing the *nix app on your indexer will also provide this index, however it will enable certain things you wouldn't want enabled on a pure indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...