All Apps and Add-ons

How to install Splunk TA for Unix on a Universal Forwarder?

kmsnyde
Explorer

The document that provides instructions on how to install Splunk TA for Unix on a Universal Forwarder is for a .tar.gz file. However, the downloaded version I received from Splunk Apps is .tgz file version. When I open this file, the README does not contain installation instructions. How do I install the file named Splunk_TA_nix-4.7.0-156739.tgz on a RHEL Universal Forwarder?

1 Solution

khourihan_splun
Splunk Employee
Splunk Employee

Here's a slight longer answer with pictures. Just wrote this up for a Splunk Cloud customer, thought I'd share with you guys:

If you haven’t setup a forwarder and a TA before, it’s a bit tricky.

You will need to download and install the forwarder, then install the Technology Add-on you can download it at apps.splunk.com. Make sure you get the TA not the app.

You should read this page, and specifically here, on how to setup your forwarder and Unix TA (Technology addon – that goes out and collects the lsof, netstat, vmstat etc… date)

The tricky part is : after you install the forwarder, and the TA, you still need to enable the inputs, so you can run this script:

$SPLUNK_HOME/bin/splunk cmd $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/setup.sh

You login using the default creds, assuming you haven’t changed them its admin / changeme

And that gives you a menu:

*** Splunk> *nix command-line setup > MAIN MENU ***

You are currently managing Splunk server 'localhost.localdomain'

    Please choose from one of the following options:

1 - show *nix input status
2 - manage *nix inputs
3 - install/upgrade app
4 - change credentials
5 - connect to remote instance

0 - logout and exit program

Enter selection:

Select 2, and then you can just enable all, or whatever you want really.

*** Splunk> *nix command-line setup > MANAGE INPUTS ***

You are currently managing Splunk server 'localhost.localdomain'

    Please choose from one of the following options:

1 - manage one input
2 - enable all inputs
3 - disable all inputs
4 - go back to main menu

0 - logout and exit program

Enter selection:

To start, probably choose #2, then we can tune it back later .

Then, After you ‘0’ you can return to your trial and hit up the app. You’ll see data now:

alt text

Regards,
Kyle

View solution in original post

samywee
New Member

setup.sh did not run on my ubuntu 16.04 server. Issue with function definition for /bin/sh.

I had to chage the first line from #!/bin/sh to #!/bin/bash

0 Karma

khourihan_splun
Splunk Employee
Splunk Employee

Here's a slight longer answer with pictures. Just wrote this up for a Splunk Cloud customer, thought I'd share with you guys:

If you haven’t setup a forwarder and a TA before, it’s a bit tricky.

You will need to download and install the forwarder, then install the Technology Add-on you can download it at apps.splunk.com. Make sure you get the TA not the app.

You should read this page, and specifically here, on how to setup your forwarder and Unix TA (Technology addon – that goes out and collects the lsof, netstat, vmstat etc… date)

The tricky part is : after you install the forwarder, and the TA, you still need to enable the inputs, so you can run this script:

$SPLUNK_HOME/bin/splunk cmd $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/setup.sh

You login using the default creds, assuming you haven’t changed them its admin / changeme

And that gives you a menu:

*** Splunk> *nix command-line setup > MAIN MENU ***

You are currently managing Splunk server 'localhost.localdomain'

    Please choose from one of the following options:

1 - show *nix input status
2 - manage *nix inputs
3 - install/upgrade app
4 - change credentials
5 - connect to remote instance

0 - logout and exit program

Enter selection:

Select 2, and then you can just enable all, or whatever you want really.

*** Splunk> *nix command-line setup > MANAGE INPUTS ***

You are currently managing Splunk server 'localhost.localdomain'

    Please choose from one of the following options:

1 - manage one input
2 - enable all inputs
3 - disable all inputs
4 - go back to main menu

0 - logout and exit program

Enter selection:

To start, probably choose #2, then we can tune it back later .

Then, After you ‘0’ you can return to your trial and hit up the app. You’ll see data now:

alt text

Regards,
Kyle

alexlit
Explorer

I have done that,
But I still get nothing when I hit the APP>

Do you know what could be a problem?

0 Karma

malmoore
Splunk Employee
Splunk Employee

Hi kmsnyde,

.tar.gz and .tgz are the exact same type of file. Your *nix system should have no trouble reading the file.

You can install the TA using the same instructions.

kmsnyde
Explorer

Thanks. Those are the instructions I have but I did not realize (or try) that it would work the same (substituting the file extension).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...