Splunk® Supported Add-ons

Splunk Add-on for Unix and Linux

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Troubleshoot the Splunk Add-on for Unix and Linux

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Events not getting tagged to the desired event type after upgrading to version 8.8.0

See Upgrade the Splunk Add-on for Unix and Linux.

Errors seen in splunkd for rlog.sh script

Error parsing start date (MM/DD/YYYY)

Locales other than en_US.UTF-8 are currently not supported by ausearch command which is being used in rlog.sh. If you are using locales other than en_US.UTF-8 you will have to use the locale as en_US.UTF-8 or its equivalent depending on your country.

Errors seen in output of Update.sh script

2021-12-23 06:50:15,873 [ERROR] yum:13717:MainThread @logutil.py:194 - [Errno 13] Permission denied: '/var/log/rhsm/rhsm.log' - Further logging output will be written to stderr

2021-12-23 06:50:15,875 [ERROR] yum:13717:MainThread @identity.py:156 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 13] Permission denied: '/etc/pki/consumer/key.pem'

If you see errors similar or same as above errors, then provide the necessary permissions for the user running splunkd to read those files.

sshdChecker.sh and vsftpdChecker.sh scripted inputs giving some file permission errors

If you see file permission errors for the files 'sshd_config' (for sshdChecker.sh) and 'vsftpd.conf' (for vsftpdChecker.sh), then please provide the necessary permissions for the user running splunkd to read those files.



Missing data from scripts

If data is missing from the script output, you can run the scripts in debug mode and use the additional information to look for the cause of the missing data.

  1. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin.
  2. Run sh <script_name> --debug to run the script in debug mode.
  3. The debug output is saved in debug--<script_name>--<date_and_time_of_execution>. This file contains the command that was executed, and its output or the failure reason. Use this information to resolve the missing data issue.

Unexpected values for cpu_load_percent and cpu_user_percent fields

The Splunk Add-on for Unix and Linux version 6.0.1 enhanced field extraction for the sourcetype cpu by extracting cpu_user_percent and cpu_load_percent fields for specific core numbers as well as for all instances. To query across all, which is what previous versions of the add-on do, use cpu=all. To query for a specific core number, include the number in your query, such as cpu=1.

Multiple events in package source type

In the packagesourcetype of the Splunk Add-on for Unix and Linux version 6.0.1, all installed software packages are listed in one event, and there are no field extractions. In version 6.0.2 of the Splunk Add-on for Unix and Linux, events are divided into separate events per software package, and fields are extracted automatically for each event. This also applies to existing events.

Make CPU core statistics info in FreeBSD OS similar to other supported OS configurations

In version 6.0.1 of the Splunk Add-on for Unix and Linux 6.0.1, the cpu sourcetype for FreeBSD OS has CPU statistics for all cores as a single event, whereas for other OS configurations, there are separate events for separate cores as well as single event for all cores. In version 6.0.2 of the Splunk Add-on for Unix and Linux, cpu.sh script output data for FreeBSD OS is consistent with other OS configurations.

Not getting data from nfsiostat scripts

See Missing data from scripts to check the script behavior in debug mode.

If the output of script file in debug mode is "Not found command nfsiostat on this host," then install the nfsutils package. If data is not indexed after installing this package, then check the script in debug mode again. If the output is "No NFS mount points were found," then the NFS file system is missing. You need to set up NFS mount to get this data into your Splunk platform deployment.

COMMAND field is truncated in the data collected from ps.sh scripted input

If your environment contains any commands longer than 100 characters, perform the following steps to extend your deployment's maximum command length:

  1. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin.
  2. Open a CLI and enter vi ps.sh
  3. Navigate to to line 21, and change %-100.100s to a command length that fits your environment. For example, %-200.200s.
  4. Save your changes.


LC_CTYPE error for rlog.sh input

If you receive the error "locale: Cannot set LC_ALL to default locale: No such file or directory, verify the following:


If you are connecting to a Linux or Unix machine using a Mac OS Terminal, verify that the locale set is the same for both operating system (OS) platforms.

  • If the locale sets do not match, sync them, using the commands specific to your OS platform.
  • As a best practice, keep LANG="en_US.UTF-8". Alternate values are supported, as long as the values are the same for your remote machine and the machine from which you are logging in.

Scripted input not working due to insufficient permissions

Verify that you have execute rights for the bin folder. The scripts will display permission denied in the splunkd.log if you don't. Splunk must be installed and executed as root user for this Add-on to work properly.

Last modified on 08 November, 2023
PREVIOUS
Enable data and scripted inputs for the Splunk Add-on for Unix and Linux
  NEXT
Lookups for the Splunk Add-on for Unix and Linux

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters