Manually configure an OSX integration
Collect data from OSX entities by installing and customizing the file below.
Steps
1. Download and install OSX
Download the following file:
After downloading, manually customize the following install script using information from Step 2:
Installation script
Customize the following installation script.
export SPLUNK_URL="$SPLUNK_URL" && \
export HEC_PORT="$HEC_PORT" && \
export RECEIVER_PORT="$RECEIVER_PORT" && \
export INSTALL_LOCATION="$INSTALL_LOCATION" && \
export HEC_TOKEN="$HEC_TOKEN" && \
export ITSI_ENABLE_DOCKER=$ITSI_ENABLE_DOCKER && \
export ITSI_DOCKER_SOCK="$ITSI_DOCKER_SOCK" && \
export DIMENSIONS=$DIMENSIONS && \
export METRIC_TYPES=$METRIC_TYPES && \
export METRIC_OPTS=$METRIC_OPTS && \
export LOG_SOURCES="$LOG_SOURCES" && \
wget -o- --no-check-certificate https://docs.splunk.com/images/8/8b/OSX_Agent.zip && \
unzip OSX_Agent.zip && \
cd osx-agent && \
bash install_uf.sh && \
bash install_agent.sh && \
cd .. && \
rm -rf osx-agent
2. Specify configuration options
The following table describes the variables to configure for the installation script:
| Variable | Description |
|---|---|
| $SPLUNK_URL | Specify the FQDN or IP address of the Splunk instance you want to send data to. Do not enter a hostname. |
| $HEC_PORT | Specify the HEC port of the Splunk instance you want to send metrics data to. The default port is 8088. |
| $RECEIVER_PORT | Specify the receiver port of the Splunk instance you want to send logs data to. The default port is 9997. |
| $INSTALL_LOCATION | Specify the file location to install the Splunk Universal Forwarder to. The default location is /Applications/. |
| $HEC_TOKEN | Specify the HEC token you configured to send data to the Splunk instance. This should be a HEC token with access to the metrics index (default: itsi_im_metrics). The HEC token's sourcetype must be itsi_im_metrics. Global HEC settings have to have tokens enabled in $SPLUNKWEB/en-US/manager/itsi/http-eventcollector. |
| $ITSI_ENABLE_DOCKER | If this is true, then the Splunk Universal Forwarder will monitor Docker containers you are running on the host. Leave this empty (``) if this behavior is undesired. |
| $ITSI_DOCKER_SOCK | Specify the location of docker.sock, the Docker socket. The default location is /var/run/docker.sock. |
| $DIMENSIONS | Specify the dimensions to associate with this entity. This is a comma-separated value where each individual entry is a dimension key (without quotes) plus ":" (without quotes) plus a dimension value (with quotes). An example value is owner:"me",version:"3",location:"USA". Leave blank if this behavior is undesired. |
| $METRIC_TYPES | Specify the types of metrics to collect with collectd. This is a comma-separated value where each individual entry is a collectd plugin. The default value is cpu,uptime,df,disk,interface,load,memory. |
| $METRIC_OPTS | If this is cpu.by_cpu, then collectd will collect data for each CPU. If this is cpu.sum, then collectd will sum for all CPUs before sending data. |
| $LOG_SOURCES | Specify the logs to collect from the instance with the Splunk Universal Forwarder. This is a comma-separated string where each individual entry is a directory plus "%" plus the sourcetype of the log. Be sure to escape dollar-signs and other reserved shell characters. The default value is "/etc/collectd/collectd.log%collectd,$SPLUNK_HOME/var/log/splunk/.log%uf,/var/log/system.log%systemlog". |
Uninstall script
Use this script to reverse any changes or modifications.
export INSTALL_LOCATION="$INSTALL_LOCATION" && \
wget -o- --no-check-certificate https://docs.splunk.com/images/8/8b/OSX_Agent.zip && \
unzip OSX_Agent.zip && \
cd osx-agent && \
bash uninstall_agent.sh && \
cd .. && \
rm -rf osx-agent