Blue Flower

Wouldn't it be nice if Splunk could tell you how many dodgy hard drives you have running on your network?  That would be so cool. So here we  are going to try to do just that thanks to Luke Murphey and its Disk Monitoring app for Splunk Enterprise.

Go ahead and download the app for your Splunk Enterprise from this link:


Installing and configuring the app on your Splunk Enterprise Server


Installation for Windows

Once you have installed the app on your Splunk Enterprise server, you need to install the Splunk Universal Forwarder on your windows client machines

1.Check to accept the license

2. Leave the "Deployment Server" blank, we'll do it later with a command, but enter the "Receiving Indexer" with the IP of your Splunk Enterprise

3.Once you finish installing the Universal Forwarder, copy the Disk Monitoring app (the "smartmon" folder) from the location SPLUNK_HOME$\etc\app on the Splunk Enterprise to the Windows client. Use "netstat" to verify that you are connected to the Splunk server by port 9997

4. Open the Command Prompt with Administrative privileages, and navigate to the "smartmon" folder > bin and run the 2 x windows scripts that are there, this will generate some data that will be passed to the Splunk Disk monitoring app. Then issue these two commands to ensure that splunk starts at boot up

C:\Program Files\SplunkUniversalForwarder\bin\splunk enable boot-start

C:\Program Files\SplunkUniversalForwarder\bin\splunk restart

 If the cmd files don't work, copy the "systemct.exel" to C:\windows and modify the script files to launch the utility from the C:\windows path


Installation on iMacs

This is the fun part! For the MAC OSX to talk to Splunk, be very much aware that the port 9997 (which is the beloved port for Splunk) is in use on the OSX world for some kind of chat program called "palace". You can verify that by open the "Network Utility" on a Mac OSX and select to scan for the ports of your Splunk Enterprise server

That means that we have to use another port for communicating to Splunk Enterprise. So go ahead and visit this website that list all ports assigned on the Internet and use a completely free one of your choise

For my example, I'm using port 10587, which as you can see if not being assigned to anything:

You need to add that port as well (of course) on the Splunk Enterprise. To do that visit Settings >Forwarding and Receiving > Receive Data and add port 10587 so the clients can send data to that port

Once all this is configured, start the installation on the MACs by following these steps:

  1. Install Splunk Universal Forwarder
  2. Install smartmontools
  3. Copy "smartctl" file from /usr/local/sbin to /usr/local/bin
  4. Copy the scripts to the folder SPLUNK_HOME$/bin
  5. Copy the "smartmon" folder to SPLUNK_HOME$/etc/apps
  6. Configure Splunk Universal Forwarder


1. Logon to your iMac and start the installation of the Universal Forwarder

After installation, follow the prompts of t he kind little helper...

Install the needed code if necessary

And finally start Splunk, which will be pointless anyway as we have not configure it yet, but let's be kind to the Little Helper

2.Visit the address and install the smarmontools package on your iMac


3. The installation of smartmoontools place the "smatctl" program and associated in the folder /usr/local/sbin, which your iMac won't find on its path unless you add it to your environment. I find much easier to just visit that folder (Open Finder > Go > Go to Folder...) and copy the files to the location /usr/local/bin, which will be found by your iMac

3 and 4. Visit  the "smatmoon" apps folder on your Splunk Enterprise and copy the two .sh scripts that you will find on the location /smartmon/bin to the location /SPLUNK_HOME$/bin


5. Finally, we just need to configure the forwarder on the terminal as follows (ensure you execute the commands at the SPLUNK_HOME$\bin folder):


sudo ./splunk enable boot-start

sudo ./splunk add monitor

sudo ./splunk add monitor

sudo ./splunk add forward-server

sudo ./splunk restart


./ //**run both scripts to get some data before restarting splunk



At this point you should start receiving data on Splunk from that client, open a search in Splunk Enterprise and issue " host =myhost" to see if you get any data, it may take a few minutes to get there. If you still don't get any data, use these commands to troubleshoot


netstat -ap tcp  //**verify that ports 10587 is open to the splunk enterprise server

./splunk list monitor //**the scripts should be listed there

./splunk list forward-server //**it should be active





Just like on Windows, copy the "smartmoon" folder into /Applications/SplunkForwarder/etc/apps


Copy the "smartctl" to the path of splunk???







Print Friendly, PDF & Email

Comments powered by CComment