I've just installed the Splunk App for *Nix. The indexer/forwarder that it is on is Windows based, running splunk 6. I have 1 redhat linux box configured with the add-on and the universal forwarder to send to this box. When I navigate to the Splunk for Nix app, i get the following error messages:
The lookup table 'nix_action_lookup' does not exist. It is referenced by configuration 'syslog'.
The lookup table 'nix_action_lookup' does not exist. It is referenced by configuration 'osx_secure'.
The lookup table 'nix_action_lookup' does not exist. It is referenced by configuration 'linux_secure'.
The lookup table 'nix_action_lookup' does not exist. It is referenced by configuration 'aix_secure'.
The lookup table 'linux_service_startmode_lookup' does not exist. It is referenced by configuration 'source::...(Linux|Unix):Service'.
The lookup table 'fs_notification_change_type_lookup' does not exist. It is referenced by configuration 'fs_notification'.
The lookup table 'endpoint_change_vendor_action_lookup' does not exist. It is referenced by configuration 'fs_notification'.
The lookup table 'endpoint_change_status_lookup' does not exist. It is referenced by configuration 'fs_notification'.
The lookup table 'endpoint_change_object_category_lookup' does not exist. It is referenced by configuration 'fs_notification'.
The lookup table 'da_version_range_lookup' does not exist. It is referenced by configuration 'source::...(AIX|FreeBSD|HPUX|Linux|OSX|Solaris|Unix):Version'.
The lookup table 'da_update_status_lookup' does not exist. It is referenced by configuration 'source::...(AIX|FreeBSD|HPUX|Linux|OSX|Solaris|Unix):Update'.
Here's a screenshot (i62.tinypic.com/1qo310.png) of the error.
A bit of googling around hasn't shown me anything useful. I've re-installed twice and am still having the same issue.
The installation and configuration instructions are a bit fuzzy on some details, so maybe I'm missing something.
Also, instructions talk about configuring the Add-on on the search head/indexer. When trying to set it up I get an error message telling me that since its not on linux/unix there are no config options available.
Can anyone tell me what I'm missing here? I'm a bit stumped.
Thanks.
The problem is that the SA-nix and/or Splunk_TA_nix aren't being installed properly. You might have more than 30 apps on your system and be running Splunk 6.1. The workaround is to copy SA-nix and Splunk_TA_nix from splunk_app_for_nix/install into your $SPLUNK_HOME/etc/apps directory and restart Splunk.
The problem is that the SA-nix and/or Splunk_TA_nix aren't being installed properly. You might have more than 30 apps on your system and be running Splunk 6.1. The workaround is to copy SA-nix and Splunk_TA_nix from splunk_app_for_nix/install into your $SPLUNK_HOME/etc/apps directory and restart Splunk.
Well I didn't have more than 30 apps, but I'm on splunk 6.1.
You were 100% right with your diagnosis and solution. Manually installing the two supporting apps completely fixed it!
You're amazing, Thanks!