Splunk® Add-on for Unix and Linux (Legacy)

Deploy and Use the Splunk Add-on for Unix and Linux

The documentation for the current version of this Add-on has moved. See the current version of the documentation for the Splunk Add-on for Unix and Linux.

What data the Splunk Add-on for Unix and Linux collects

Data collection

The Splunk Add-on for Unix and Linux collects the following data using file inputs:

  • Changes to files in the /etc directory and subdirectories.
  • Changes to files in the /var/log directory and subdirectories.

The add-on collects the following data with scripted inputs:

  • CPU statistics via the sar, mpstat and iostat commands (cpu.sh scripted input).
  • Free disk space available for each mount via the df command (df.sh scripted input).
  • Hardware information - CPU type, count, and cache; hard drives; network interface cards and count; and memory via the dmesg, iostat, ifconfig, and df commands (hardware.sh scripted input).
  • Information about the configured network interfaces via the ifconfig and dmesg commands (interfaces.sh scripted input).
  • Input/output statistics for block devices and partitions via the iostat command (iostat.sh scripted input).
  • Last login times for system accounts via the last command (lastlog.sh scripted input).
  • Information about files opened by processes via the lsof command (lsof.sh scripted input).
  • Network connections, routing tables and network interface statistics via the netstat command (netstat.sh scripted input).
  • Available network ports via the netstat command (openPorts.sh scripted input).
  • Information about software packages or sets that are installed on the system via the dpkg-query, pkginfo, and pkg_info commands (package.sh scripted input).
  • Information about TCP/UDP transfer statistics via the netstat command (protocol.sh scripted input).
  • Status of current running processes via the ps command (ps.sh scripted input).
  • Audit information recorded by the auditd daemon to /var/log/audit/audit.log (rlog.sh scripted input).
  • System date and time and NTP server time via the date and ntpdate commands (time.sh scripted input).
  • List of running system processes via the top command (top.sh scripted input).
  • User attribute information for the local system via the /etc/passwd file (usersWithLoginPrivs.sh scripted input).
  • Process related memory usage information via the top, vmstat, and ps commands (vmstat.sh scripted input).
  • Information of all users currently logged in via the who command (who.sh scripted input).

The Splunk Add-on for Unix and Linux puts all the data it collects into a special index called os.

Note: The add-on displays question marks ("?") for blank fields that the scripted inputs return within individual events. This is expected behavior to preserve field spacing, and is not cause for concern.

Indexing volume

The Splunk App for Unix and Linux collects around 200MB of data per host per day. The app can collect slightly more or less based on individual host activity.

Last modified on 26 April, 2018
 

This documentation applies to the following versions of Splunk® Add-on for Unix and Linux (Legacy): 6.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters