Differences

This shows you the differences between two versions of the page.

--- monitoring:splunk [2024/03/25 10:30]
manu
+++ monitoring:splunk [2024/07/03 11:13] (current)
manu [AIX]
@@ Line 2: / Line 2: @@
 ===== AIX =====
+Current splunkforwarder version is 9.2
+<cli prompt='>'>
+root@aix01 /root> cat /opt/splunkforwarder/etc/splunk.version
+VERSION=9.0.1
+BUILD=82c987350fde
+PRODUCT=splunk
+PLATFORM=AIX-powerpc
+</cli>
 Create a user splunk and group
-  FIXME check the right limits
+FIXME check the right limits
 <cli prompt='>'>
+root@aix01 /root> mkgroup id=2500 splunk
+root@aix01 /root> mkuser id=2500 pgrp=splunk groups=staff,splunk fsize=-1 data=2621440 rss=262144 splunk
 root@aix01 /root> lsuser -f splunk
 splunk:
@@ Line 34: / Line 47: @@
 Untar the splunk forwarder package and start install, as **splunk user**
 <cli prompt='>'>
+rootaix01 /opt> chown -R splunk.splunk /opt/splunkforwarder
 splunk@aix01 /home/splunk> /opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt
 This appears to be your first time running this version of Splunk.
@@ Line 68: / Line 83: @@
 </cli>
-Create a service
+Create ass root a service **splunkd**
 <cli prompt='>'>
-root@aix01 /root> odmget -q subsysname="splunkd" SRCsubsys
+root@aix01 /opt> /opt/splunkforwarder/bin/splunk enable boot-start -user splunk
+-071 The splunkd Subsystem has been added.
+SRC subsystem group installed.
+SRC subsystem group is configured to run at boot.
+root@aix01 /opt> odmget -q subsysname="splunkd" SRCsubsys
 SRCsubsys:
@@ Line 77: / Line 97: @@
         cmdargs = "_internal_exec_splunkd"
         path = "/opt/splunkforwarder/bin/splunk"
-        uid = 2500
+        uid = 1601
         auditid = 0
         standin = "/dev/console"
@@ Line 93: / Line 113: @@
         waittime = 20
         grpname = "splunk"
+root@aix01 /opt> cat /etc/inittab
+splunk:2:once:/usr/bin/startsrc -g splunk > /dev/console 2>&1
+root@aix01 /opt> lssrc -a | grep -i  splunk
+ splunkd          splunk                        inoperative
+root@aix01 /opt> ps -ef | grep splu
+  splunk 11207102        1   2 16:41:57      -  0:00 splunkd -p 8089 start
+  splunk 11338186 11207102   0 16:41:57      -  0:00 [splunkd pid=11207102] splunkd -p 8089 start [process-runner]
+root@aix01 /opt> kill 11207102 11338186
+root@aix01 /opt> startsrc -s splunkd
+-059 The splunkd Subsystem has been started. Subsystem PID is 7995758.
+root@aix01 /opt> ps -ef | grep splu
+    root  6881638 10748408   0 16:47:50  pts/0  0:00 grep splu
+  splunk  7995758  5898518 120 16:47:48      -  0:00 splunkd --nodaemon -p 8089 _internal_exec_splunkd
+  splunk 11469220  7995758   0 16:47:50      -  0:00 [splunkd pid=7995758] splunkd --nodaemon -p 8089 _internal_exec_splunkd [process-runner]
+root@aix01 /opt> lssrc -a | grep -i  splunk
+ splunkd          splunk           7995758      active
 </cli>
+Debug (if needed)
 <cli prompt='>'>
-root@aix01 /root> /opt/splunkforwarder/bin/splunk enable boot-start -user splunk
+root@aix01 /root> /opt/splunkforwarder/bin/splunk  btool check --debug
--071 The splunkd Subsystem has been added.
+</cli>
-SRC subsystem group installed.
-SRC subsystem group is configured to run at boot.
-root@aix01 /root> lssrc -a | grep -i  splunk
+Script to Upgrade/install splunk agent
-splunkd          splunk                        inoperative
+<code>
+[root@nim01]/root/scripts> cat install_splunk.sh
+#!/bin/ksh93
+# V1.0 initial version
-root@aix01 /root> ps -ef | grep splu
+splunk_version="VERSION=9.2.1"
-    root 10420368 33685510   0 10:40:18  pts/3  0:00 grep splu
-  splunk 10944578 16973908   0 10:39:43      -  0:00 [splunkd pid=16973908] splunkd -p 8089 start [process-runner]
-  splunk 16973908        1   0 10:39:43      -  0:01 splunkd -p 8089 start
-root@aixtest /opt> kill -9 16973908
-root@aix01 /root> startsrc -s splunkd
+echo "Install/Upgrade Splunk VERSION=9.2.1"
--059 The splunkd Subsystem has been started. Subsystem PID is 10879268.
-root@aix01 /root> lssrc -a | grep -i  splunk
+#-----------------------
-splunkd          splunk           10879268     active
+create_user()
-</cli>
+{
+echo "Add user splunk"
+mkgroup -a id=1500 splunk
+mkuser -a id=1500 pgrp=splunk gecos='splunk' splunk
+lsgroup splunk ; lsuser -a id pgrp groups splunk
+chuser fsize=-1 data=2621440 rss=262144 splunk
+chgrpmem -m + splunk oinstall 2>/dev/null
+}
+#-----------------------
+create_fs()
+{
+echo "Create /opt/splunkforwarder filesystem"
+mv /opt/splunkforwarder /opt/splunkforwarder1
+mkdir /opt/splunkforwarder
+chmod a+rx /opt/splunkforwarder
+mklv -t jfs2 -y splunklv rootvg 1G
+crfs -vjfs2 -m /opt/splunkforwarder -d splunklv -Ayes -a log=INLINE
+mount /opt/splunkforwarder
+chown splunk:splunk /opt/splunkforwarder
+mv /opt/splunkforwarder1/* /opt/splunkforwarder
+rm -r /opt/splunkforwarder1
+startsrc -s splunkd
+}
+#-----------------------
+stop_splunk()
+{
+echo "Stop process"
+stopsrc -g splunk
+for i in $(ps -ef | grep -v grep | grep splunk | grep -v install_splunk | awk '{print $2}')
+do
+kill $i
+done
+ps -ef | grep splunkd |grep -v grep
+}
+#-----------------------
+backup()
+{
+mkdir -p /opt/splunkforwarder
+mkdir -p /root/old
+cd /opt/splunkforwarder/etc/system/; tar cvf /root/old/splunk_local.tar local
+rm /etc/rc.d/init.d/splunkforwarder /etc/rc.d/rc2.d/K10splunkforwarder  /etc/rc.d/rc2.d/S10splunkforwarder
+}
+#-----------------------
+install_bin()
+{
+echo "Install Splunk"
+mount nim01:/repository1/splunk/aix /mnt
+cd /opt
+tar xvf /mnt/splunkforwarder-9.2.1-78803f08aabb-AIX-powerpc.tar
+umount /mnt
+}
+#-----------------------
+rebuild_outputs()
+{
+echo "Overwrite: outputs.conf"
+cat > /opt/splunkforwarder/etc/system/local/outputs.conf << EOF
+[tcpout]
+defaultGroup = default-autolb-group
+[tcpout:default-autolb-group]
+server = splunk-prd.xxx:9997
+[tcpout-server://splunk-prd.xxx:9997]
+EOF
+}
+#-----------------------
+build_inputs()
+{
+echo "Overwrite: inputs.conf"
+cat > /opt/splunkforwarder/etc/system/local/inputs.conf.tmp << EOF
+[default]
+host=myhostname
+disabled=0
+ignoreOlderThan = 30d
+EOF
+host2=`echo "host="$(hostname -s)`
+cat /opt/splunkforwarder/etc/system/local/inputs.conf.tmp | sed "s/host=aixa065/$host2/" > /opt/splunkforwarder/etc/system/local/inputs.conf
+rm /opt/splunkforwarder/etc/system/local/inputs.conf.tmp
+}
+#-----------------------
+rebuild_inputs()
+{
+echo "Modify: inputs.conf"
+cp /opt/splunkforwarder/etc/system/local/inputs.conf /opt/splunkforwarder/etc/system/local/inputs.conf.tmp1
+build_inputs
+grep -vp '\[default\]' /opt/splunkforwarder/etc/system/local/inputs.conf.tmp1 >> /opt/splunkforwarder/etc/system/local/inputs.conf
+rm /opt/splunkforwarder/etc/system/local/inputs.conf.tmp1
+}
+#-----------------------
+rebuild_server()
+{
+echo "Modify: server.conf"
+cp /opt/splunkforwarder/etc/system/local/server.conf /opt/splunkforwarder/etc/system/local/server.conf.tmp
+cat /opt/splunkforwarder/etc/system/local/server.conf.tmp | sed "s/^serverName\ =\ .*/serverName\ =\ $(hostname -s)/" > /opt/splunkforwarder/etc/system/local/server.conf
+rm /opt/splunkforwarder/etc/system/local/server.conf.tmp
+}
+#-----------------------
+change_owner()
+{
+chown -R splunk:splunk /opt/splunkforwarder
+}
+#-----------------------
+configure()
+{
+echo "Configure"
+su - splunk -c "/opt/splunkforwarder/bin/splunk start --accept-license --answer-yes --auto-ports --no-prompt"
+/opt/splunkforwarder/bin/splunk enable boot-start -user splunk
+startsrc -s splunkd
+}
+#-----------------------
+check_status()
+{
+echo "Check"
+lssrc -Ss splunkd
+odmget -q subsysname="splunkd" SRCsubsys
+startsrc -s splunkd
+lssrc -s splunkd
+/opt/splunkforwarder/bin/splunk  btool check --debug
+echo "Process"
+ps -ef | grep -v grep | grep splunk | grep -v install_splunk
+}
+########################
+# main
+########################
+version=$(cat /opt/splunkforwarder/etc/splunk.version | grep VERSION)
+create_user
+if [[ $(df -g | grep -c '/opt/splunkforwarder') == "0" ]]
+then
+  stop_splunk
+  create_fs
+fi
+if [[ "$version" != "$splunk_version" ]]
+then
+  stop_splunk
+  backup
+  install_bin
+  if [[ "$(grep -c 'splunk-prd.xxx' /opt/splunkforwarder/etc/system/local/outputs.conf 2>/dev/null)" != "2" ]]
+  then
+    rebuild_outputs
+  fi
+  if [ -e /opt/splunkforwarder/etc/system/local/inputs.conf ]
+  then
+    host1=$(grep -p '\[default\]' /opt/splunkforwarder/etc/system/local/inputs.conf | grep '^host=')
+    host2=`echo "host="$(hostname -s)`
+    if [[ "$host1" != "$host2" ]]
+    then
+      rebuild_inputs
+    fi
+  else
+    build_inputs
+  fi
+  change_owner
+  configure
+fi
+if [[ "$(grep -c 'splunk-prd.xxx' /opt/splunkforwarder/etc/system/local/outputs.conf 2>/dev/null)" != "2" ]]
+then
+  rebuild_outputs
+  stop_splunk
+fi
+if [ -e /opt/splunkforwarder/etc/system/local/inputs.conf ]
+then
+  host1=$(grep -p '\[default\]' /opt/splunkforwarder/etc/system/local/inputs.conf | grep '^host=')
+  host2=`echo "host="$(hostname -s)`
+  if [[ "$host1" != "$host2" ]]
+  then
+    rebuild_inputs
+    change_owner
+    stop_splunk
+  fi
+else
+  build_inputs
+  change_owner
+  stop_splunk
+fi
-===== Linux =====
+if [ -e /opt/splunkforwarder/etc/system/local/server.conf ]
+then
+  host1=$(grep '^serverName' /opt/splunkforwarder/etc/system/local/server.conf | sed 's/\ //g')
+  host2=`echo "serverName=$(hostname -s)`
+  if [[ "$host1" != "$host2" ]]
+  then
+    rebuild_server
+    stop_splunk
+    change_owner
+  fi
+fi
+stopsrc -s splunkd; sleep 2; startsrc -s splunkd
+check_status
+</code>

wiki

User Tools

Site Tools

Differences

Page Tools