Hello,
This is what is listed in the documentation for the **Splunk Add-on for Unix and Linux**.
[https://docs.splunk.com/Documentation/UnixApp/5.2.5/User/InstalltheSplunkAppforUnixandLinux][1]
Create an index
The Spunk Add-on for Unix and Linux is a separate download from Splunkbase. Versions 6.0.0 and later of the Splunk Add-on for Unix and Linux do not include indexes. For the Splunk App for Unix and Linux, complete the following steps to create an index on your indexer:
1. Make a local directory in the splunk_app_for_nix folder if you don't have one already.
2. From the app's Default directory, copy macros.conf and savedsearches.conf into your local directory.
3. Edit the os-index macro in macros.conf as follows: index=os.
You can also make a custom index: index=.
4. Edit the fired_alerts saved search in savedsearches.conf as follows: `| rest /services/search/jobs | search [search index=_audit action=alert_fired | fields sid] | collect index=os.`
This is the environment on our Indexer. There is no **splunk_app_for_nix** folder on the Indexer.
Note: I bolded every other file/folder to make it easier to read this post.
[root@splnkIndexer splunk]# ls
**bin** include **openssl** splunk-7.2.2-48f4f251be37-linux-2.6-x86_64-manifest
**copyright.txt** lib **README-splunk.txt** var
**etc** license-eula.txt **share**
[root@splnkIndexer splunk]# cd etc
[root@splnkIndexer etc]# ls
**anonymizer** log-btool-debug.cfg **passwd**
apps **log.cfg** prettyprint.xsl
**auth** log-cmdline.cfg **regid.2001-12.com.splunk-Splunk-Enterprise.swidtag**
copyright.txt **log-cmdline-debug.cfg** searchLanguage.xml
**datetime.xml** log-debug.cfg **shcluster**
deployment-apps **login-info.cfg** splunk-enttrial.lic
**disabled-apps** log-searchprocess.cfg **splunk-launch.conf**
findlogs.ini **log-utility.cfg** splunk-launch.conf.default
**init.d** master-apps **splunk.version**
instance.cfg **modules** system
**licenses** myinstall **users**
log-btool.cfg **openldap**
[root@splnkIndexer etc]# cd apps
[root@splnkIndexer apps]# ls
**alert_logevent** introspection_generator_addon **search** splunk_httpinput **Splunk_TA_windows**
alert_webhook **launcher** sendtoindexer **splunk_instrumentation** user-prefs
**appsbrowser** learned **splunk_archiver** SplunkLightForwarder
**framework** legacy **SplunkForwarder** splunk_monitoring_console
**gettingstarted** sample_app **splunk_gdi** Splunk_TA_nix
Note: The **Splunk Add-on for Unix and Linux** is installed on both the Indexer and the Search Head.
Thanks in advance for any direction/help.
God bless,
Genesius
[1]: https://docs.splunk.com/Documentation/UnixApp/5.2.5/User/InstalltheSplunkAppforUnixandLinux
↧