Splunk® Supported Add-ons

Splunk Add-on for Unix and Linux

About the Splunk Add-on for Unix and Linux

Version 9.2.0
Vendor products All supported Unix operating systems. See Unix operating systems.
Add-on has web UI Yes. This add-on contains views for configuration.

The Splunk Add-on for Unix and Linux allows a Splunk software administrator to collect data from Unix and Linux hosts. Install the Splunk Add-on for Unix and Linux on a forwarder to send data from any number of hosts to a Splunk Enterprise indexer or group of indexers. You can also use the add-on to provide data for other apps, such as Splunk IT Service Intelligence (ITSI) or Splunk Enterprise Security.

File Monitoring Inputs

The Splunk Add-on for Unix and Linux collects the following data using file inputs:

  • Monitoring /etc directory
  • Monitoring /var/log directory
  • Monitoring /home/*/.bash_history directory
  • Monitoring /root/.bash_history directory
  • Monitoring /var/adm directory
  • Monitoring /Library/ Logs

Scripted Inputs

The add-on collects data with the following scripted inputs:

Input Description
bandwidth.sh Network statistics via the shell commands dlstat, netstat, and sar
cpu.sh CPU statistics via the shell commands sar, mpstat, and iostat
cpu_metric.sh CPU statistics and OS info via the shell commands hostname, ifconfig, uname, sar, mpstat, and iostat
df.sh Free disk space for each mount point via the shell commands df, mount, and fstyp
df_metric.sh Statistics of free disk space for each mount point and OS info via the shell commands hostname, ifconfig, uname, df, mount, and fstyp.
hardware.sh Hardware information via the shell commands cpuinfo, df, dmesg, hwinfo, ifconfig, ioscan, iostat, ip, lanscan, lsattr, lscfg, lsdev, lsps, lspv, meminfo, mpstat, prtconf, prtdiag, sysctl, system_profiler, swap, swapinfo, and top
interfaces.sh Configured network interfaces via the shell commands dmesg, ethtool, ifconfig, kstat, lanscan, lanadmin, and netstat
interfaces_metric.sh Statistics of configured network interfaces and OS info via the shell commands hostname, ifconfig, uname, dmesg, ethtool, ifconfig, kstat, lanscan, lanadmin, and netstat
iostat.sh Input/output statistics for block devices and partitions via the shell commands darwin_disk_stats, iostat, and sar
iostat_metric.sh Statistics of Input/output statistics for block devices and partitions and OS info via the shell commands hostname, ifconfig, uname, darwin_disk_stats, iostat, and sar
lastlog.sh Last login times for system accounts via the shell commands last, lastb, and lastlogin
lsof.sh Process information via the shell command lsof
netstat.sh Network connections, routing tables, and network interface information via the shell command netstat
nfsiostat.sh Collects NFS mounts data via the shell command nfsiostat. Requires the nfs-utils package.
openPorts.sh Available network ports via the shell command netstat
openPortsEnhanced.sh TCP/UDP ports in a listening state, and information on process, process ID, IP version, and so on. via the shell commands lsof, and netstat
package.sh Lists installed software packages via the shell commands dpkg-query, pkginfo, pkg_info, pkg info, system_profiler, and swlist
passwd.sh Shows username and associated user ID, user group ID, and shell
protocol.sh TCP/UDP transfer statistics via the shell commands netstat or nstat
ps.sh Status of current running processes via the shell command ps
ps_metric.sh Statistics of the status of currently running processes and OS info via the shell command hostname, ifconfig, uname and ps
rlog.sh Linux Auditing System events information recorded in /var/log/audit/audit.log by auditd
selinuxChecker.sh Parses /etc/sysconfig/selinux to check if SELinux is configured
service.sh Running services and associated details via the shell commands chkconfig, dscl, svcs, and systemctl
sshdChecker.sh Parses sshd_config for information local sshd configurations
time.sh System date and time, and NTP server time via the shell commands and chronyc, date andntpdate
top.sh List of running system processes via the shell commands ps and top
update.sh Available software updates for installed packages via the shell commands softwareupdate, yum and zypper
uptime.sh System date and uptime information via the shell command date
usersWithLoginPrivs.sh Shows system username information
version.sh OS version details via the shell command uname
vmstat.sh Process-related memory usage information via the shell commands prstat, prtconf, ps, sar, svmon, swap, swapinfo, sysctl, top, uptime, and vmstat
vmstat_metric.sh Statistics of process-related memory usage information and OS info via the shell commands hostname, ifconfig, uname prstat, prtconf, ps, sar, svmon, swap, swapinfo, sysctl, top, uptime, and vmstat
vsftpdChecker.sh Parses vsftpd.conf for information about local VSFTP server configurations in /etc, /etc/vsftpd, or /private/etc
who.sh Information about all users currently logged in via the shell command who

The add-on displays question marks ("?") for blank fields that the scripted inputs return within individual events. This is expected behavior to preserve field spacing.


Download the Splunk Add-on for Unix and Linux from Splunkbase.

For a summary of new features, fixed issues, and known issues, see Release notes for the Splunk Add-on for Unix and Linux.

For information about installing and configuring the Splunk Add-on for Unix and Linux, see Installation and configuration overview for the Splunk Add-on for Unix and Linux.

See Splunk Community page for questions related to Splunk Add-on for Unix and Linux on Splunk Answers.

Last modified on 12 July, 2024
  Source types for the Splunk Add-on for Unix and Linux

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters