Splunk® App for Unix and Linux (Legacy)

Install and Use the Splunk App for Unix and Linux

Acrobat logo Download manual as PDF


On March 13, 2022, the Splunk App for Unix and Linux will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app has migrated to a content pack in Data Integrations. Learn about the Content Pack for Unix Dashboards and Reports.The Splunk Add-on for Unix and Linux remains supported.
This documentation does not apply to the most recent version of Splunk® App for Unix and Linux (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Release notes

This topic contains information on new features, known issues, and updates as we version the Splunk App for Unix and Linux.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

  • The TA now supports HP/UX.
  • The TA can now be used on universal forwarders, as it collects all data with shell scripts.
  • New scripted inputs have been added to facilitate tighter integration with the Splunk App for Enterprise Security.

Current known issues

The Splunk Technology Add-on for Unix and Linux has the following known issues:

  • On Solaris servers with less than two processors, the cpu.sh scripted input does not return results. This causes the Percent Load by Host dashboard to not display information for those hosts. (NIX-275)
  • The common.sh scripted input does not set the LANG locale environment variable. This can cause problems for *nix systems that use a locale other than "en_US"or "en_US.UTF8": The output of several commands displays differently based on the system's locale, which affects how scripted inputs interpret the data that the commands generate. To work around the problem, edit $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/common.sh and add the following line at the beginning (NIX-203):
LANG=en_US.UTF8
  • On FreeBSD systems, the lsof.sh scripted input is not functional. (SPL-44786)

Change log (what's been fixed)

From version 4.6 to 4.7

  • The TA now supports HP/UX. (NIX-75)
  • The TA now has improved integration with the Splunk App for Enterprise Security. Nine new scripted inputs have been added which replace several apps included in the previous version of that product. (NIX-205, SOLNESS-3111)

From version 4.5 to 4.6

  • The search command for file system changes now works properly. (APP-28)
  • The TA no longer complains of missing fields for some search results, in particular, pctIoWait. (APP-42)
  • The TA now properly captures both SSH login successes and failures. (APP-63)
  • When commands with the same name run at the same time, the TA now properly adds their resource usage statistics together, instead of averaging them. (APP-67)
  • On Oracle Enterprise Linux (OEL) and AIX systems with Micro-partitioning enabled, the TA's cpu.sh script now produces correct information about the computer's CPU. (APP-82)
  • The TA's scripts now function properly on Mac OS X 10.7 Lion. (APP-98)
  • On all versions of Mac OS X, the TA now properly captures failures with the 'su' command. (APP-101)
  • The TA's interface.sh script no longer exhausts a server's TCP connection pool in an attempt to get reverse DNS information. (APP-106)
  • The TA now properly captures user creation events. (APP-145)
  • On Solaris systems, the TA now properly gathers and displays memory statistics in megabytes instead of kilobytes. (APP-152)
  • The TA's interfaces.sh now properly captures network interface information on all OS versions. (APP-160, APP-162)
Last modified on 19 June, 2013
PREVIOUS
Configuration 		 

This documentation applies to the following versions of Splunk® App for Unix and Linux (Legacy): 4.7

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters