Solved: Is it the SA_nix app, or Splunk App for Nix that c...

msarro · ‎10-14-2013

Hey everyone. We have a ton of indexers we need to deploy this app to, and I need to perform all configuration steps in advance so they can be deployed with no post-install configuration using the deployment server. Our search heads are configured to forward all data to indexers.

The documentation isn't so great on doing this - it seems to assume you're doing the install manually on each search head and indexer. That will not work in our environment where we have a short maintenance window and lots of indexers to perform the installation on.

Only the SA_nix app seems to have an indexes.conf file, so I am assuming that that is the one that must be placed on an indexer? It only contains a summary index, it does not contain the OS index that seems to be the default.

Where do I put the indexes.conf entry for the os index so that when we try to log in to the app it doesn't prompt for configuration?

bandit · ‎10-15-2013

In the scenario where you only needed to setup the indexes, you could just copy the contents of the *nix indexes.conf to your own indexes.conf file on your indexer. This assumes that you don't want to collect metrics from your indexers themselves like cpu, memory, etc. and just need to create the indexes so you can forward *nix metrics from other forwarders and/or search heads.

[os]
homePath = $SPLUNK_DB/os/db
coldPath = $SPLUNK_DB/os/colddb
thawedPath = $SPLUNK_DB/os/thaweddb

[firedalerts]
coldPath = $SPLUNK_DB/firedalerts/colddb
homePath = $SPLUNK_DB/firedalerts/db
thawedPath = $SPLUNK_DB/firedalerts/thaweddb

[unix_summary]
homePath   = $SPLUNK_DB/unix_summary/db
coldPath   = $SPLUNK_DB/unix_summary/colddb
thawedPath = $SPLUNK_DB/unix_summary/thaweddb
maxTotalDataSizeMB = 10000

View solution in original post

bandit · ‎10-15-2013

In the scenario where you only needed to setup the indexes, you could just copy the contents of the *nix indexes.conf to your own indexes.conf file on your indexer. This assumes that you don't want to collect metrics from your indexers themselves like cpu, memory, etc. and just need to create the indexes so you can forward *nix metrics from other forwarders and/or search heads.

[os]
homePath = $SPLUNK_DB/os/db
coldPath = $SPLUNK_DB/os/colddb
thawedPath = $SPLUNK_DB/os/thaweddb

[firedalerts]
coldPath = $SPLUNK_DB/firedalerts/colddb
homePath = $SPLUNK_DB/firedalerts/db
thawedPath = $SPLUNK_DB/firedalerts/thaweddb

[unix_summary]
homePath   = $SPLUNK_DB/unix_summary/db
coldPath   = $SPLUNK_DB/unix_summary/colddb
thawedPath = $SPLUNK_DB/unix_summary/thaweddb
maxTotalDataSizeMB = 10000

msarro · ‎10-16-2013

Excellent - this is what I needed. I created a copy of the SA_nix app's indexes.conf file in the local/ directory, complete with custom volume information for indexers. Everything seems to be working now when being pushed out with the deployment server. Appreciate the help!

bandit · ‎10-15-2013

splunk_app_for_nix-5.0.0-182057.zip, the latest version, has the full app and the TA in a sub directory the zip file.

splunk_app_for_nix-5.0.0-182057.zip\etc\apps\Splunk_TA_nix

Looks like you can also directly download just the TA in its own tgz file (Splunk_TA_nix-5.0.0-181970.tgz)

It appears that the file with the full app and the TA (splunk_app_for_nix-5.0.0-182057.zip) has a slightly newer version of the TA though (build = 182057) where is the TA only file (Splunk_TA_nix-5.0.0-181970.tgz) has a version (build = 181970) according the the app.conf file contained within.

mikelanghorst · ‎10-15-2013

The Splunk For Unix app has 3 components required: The main app, the TA, and the SA. The indexes you're looking for are in the Splunk_TA_unix app.

Is it the SA_nix app, or Splunk App for Nix that contains the indexes.conf for an indexer?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!