Install the Content Pack for Unix Dashboards and Reports
Perform the following high-level steps to install the Content Pack for Unix Dashboards and Reports:
- Install and configure the Splunk Add-on for Unix and Linux.
- Install the Content Pack for Unix Dashboards and Reports.
- Create indexes.
Prerequisite
Install and configure the IT Service Intelligence (ITSI) or IT Essentials Work App in your environment. See About Splunk ITSI in the Install and Upgrade Manual, or Install IT Essentials Work in the Overview of Splunk IT Essentials Work manual.
Install and configure the Splunk Add-on for Unix and Linux
The Content Pack for Unix Dashboards and Reports relies on data collected by the Splunk Add-on for Unix and Linux.
To learn more about how to enable inputs in the Splunk Add-on for Unix and Linux, see Enable data and scripted inputs for the Splunk Add-on for Unix and Linux in the Splunk Add-on for Unix and Linux manual.
The following table shows the installation locations on the distributed environment for the content pack and the add-on:
| Component | Search head /cluster | Indexer / cluster | Forwarder |
|---|---|---|---|
| Content Pack for Unix Dashboards and Reports | x | ||
| Splunk Add-on for Unix and Linux | x | x | x |
Install the Content Pack for Unix Dashboards and Reports
To install the Content Pack for Unix Dashboards and Reports, you have to install the Splunk App for Content Packs. To install the Splunk App for Content Packs in your environment, see the installation instructions for the Splunk App for Content Packs.
The content pack contents are automatically installed and start running when you install the Splunk App for Content Packs on the search head where you installed ITSI or IT Essentials Work.
After you install the Splunk App for Content Packs, follow these steps to configure the Content Pack for Unix Dashboards and Reports:
- From the ITSI or ITE Work main navigation bar, click Configuration and then Data Integrations.
- Select Content Library.
- Select the Unix Dashboards and Reports content pack.
- Review what's included in the content pack and click Proceed.
- Configure the content pack settings.
Setting Description Modify status of saved searches This configuration step will be displayed only if the content pack contains saved searches. Within this configuration, you have the flexibility to perform the following operations: - Activate all saved searches - By selecting this option, you can activate all the saved searches associated with the content pack.
- Deactivate all saved searches - By selecting this option, you can deactivate all the saved searches associated with the content pack.
- Retain current status of saved searches - This option allows you to preserve the existing status of the saved searches within the content pack.
Note: By default, saved searches included in a content pack are in deactivated state. - Click the Activate/Deactivate all saved searches button to modify status of saved searches of the Content Pack for Unix Dashboards and Reports.
- Click Install to confirm the installation. Once done, you can view the status of the saved searches, because the tile shows the current status of all the saved searches of the content pack.
Create indexes
The Content Pack for Unix Dashboards and Reports requires two indexes on the search head for indexing and showing the details of the fired alerts.
Create indexes unix_summary and firedalerts using the following resources:
- For Splunk Enterprise, see Create events indexes.
- For Splunk Cloud Platform, see Create a Splunk Cloud Platform events index.