Troubleshoot the Splunk Add-on for Linux
General troubleshooting
For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.
Cannot launch add-on
This add-on does not have views and is not intended to be visible in Splunk Web. If you are trying to launch or load views for this add-on and you are experiencing results you do not expect, turn off visibility for the add-on.
For more details about add-on visibility and instructions for turning visibility off, see Check if the add-on is intended to be visible or not in the Splunk Add-ons Troubleshooting topic.
Validate data collection
Validate the data inputs to make sure that you are ingesting the data you expect.
- HEC:
sourcetype=linux:collectd:http:json index=<collectd-source-index> - HEC with metrics data:
mstats count(_value) where metric_name=* AND index=<metrics index name> by metric_name - TCP:
sourcetype=linux:collectd:graphite index=<collectd-source-index> - AuditD:
sourcetype=linux:audit index=<auditd-source-index>
The default search uses index="main".
Audit data not collected
Create a new TCP data input configuration and make sure the source type is set to to linux:audit.
If you are collecting audit data in a syslog source type using TCP, then you must assign the correct source type.
- Add the following stanza to
$SPLUNK_HOME/etc/apps/Splunk_TA_Linux/local:[syslog] TRANSFORMS-linux_syslog = linux_syslog_audit
- Add the following stanza to
$SPLUNK_HOME/etc/apps/Splunk_TA_Linux/local/props.conf:[linux_syslog_audit] DEST_KEY = MetaData:Sourcetype REGEX = type=\S+\s+msg=audit FORMAT = sourcetype::linux:audit
- Restart Splunk.
| Configure AuditD to send data to the Splunk Add-on for Linux | Version comparisons |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Download manual
Feedback submitted, thanks!