Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

enabling *nix with universal forwarder stops forwarding logs from /etc/system/local/inputs.conf

agent462
New Member
‎05-04-2011 02:14 PM

I'm trying to get the *nix app going using the universal forwarder. I can forward logs fine from /etc/system/local/inputs.conf until I enable the *nix app. Once I enable the app it does forward *nix /etc/apps/unix/local/inputs.conf logs but not my system defined logs.

When *nix is enabled the splunkd.log just stays on INFO TcpOutputProc - Connected to idx=:9997
When it's disabled it updates fine and shows processing of the log files.

I've tried the configuration from my main splunk receiver server that is also using *nix and the default one from the unix/defaults/. Both cause the same action.

0 Karma
Reply

agent462
New Member
‎05-04-2011 05:01 PM

I do have an OS index defined exactly like you described. I should have clarified a little better. My indexer is also my search head all in one box. From the portal I installed the *nix app and it's collecting data for that host.

I'm trying to get one host configured with the forwarder so I can deploy it to the rest of my hosts.

The machine I'm trying to get the Universal Forwarder on will also forward the *nix inputs but only those. Once I disabled the *nix app my inputs defined in my etc/system/local/inputs.conf will start flowing again. It's acting like it's one or the other.

0 Karma
Reply

hazekamp
Builder
‎05-04-2011 03:31 PM

Most inputs in the *nix app are configured to go to the "os" index. If you do not have this indexed defined on your indexer then the data will not be indexed. The easiest way to configure the os index would be to add the following configuration to your $SPLUNK_HOME/etc/system/local/indexes.conf:

## indexes.conf
[os]
homePath = $SPLUNK_DB/os/db
coldPath = $SPLUNK_DB/os/colddb
thawedPath = $SPLUNK_DB/os/thaweddb

Installing the *nix app on your indexer will also provide this index, however it will enable certain things you wouldn't want enabled on a pure indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...