Release history for the Splunk Add-on for Unix and Linux

The latest version of the Splunk Add-on for Unix and Linux is version 9.2.0. See Release notes for the Splunk Add-on for Unix and Linux for release notes of this latest version.

Version 9.1.0

Version 9.1.0 of the Splunk Add-on for Unix and Linux was released on May 30, 2024.

Compatibility

Version 9.1.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	9.0.x, 9.1.x, 9.2.x
CIM	4.20.2
Supported OS for data collection	All supported Unix operating systems. See Unix operating systems.
Vendor products	All supported Unix operating systems. See Unix operating systems.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 9.1.0 of the Splunk Add-on for Unix and Linux has the following new features:

Updated the lsof script for compatibility with the latest version.

Bug fixes

Fixed wrong time stamp extraction for auditd sourcetype

Fixed issues

Version 9.1.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Known issues

Version 9.1.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Date filed	Issue number	Description
2024-03-19	ADDON-69658, SPL-242510	cpu.sh shows momentary spikes of higher utilization when invoked compared to previous major version of Splunk
2022-06-24	ADDON-53138	cpu, cpu_metric scripts report higher CPU usage on Splunk 9.x

Date filed	Issue number	Description
2024-03-19	ADDON-69658	cpu.sh shows momentary spikes of higher utilization when invoked compared to previous major version
2022-06-24	ADDON-53138	[PUBLIC] [Nix] cpu, cpu_metric scripts report higher CPU usage on Splunk 9.x

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 9.0.0

Version 9.0.0 of the Splunk Add-on for Unix and Linux was released on October 28, 2023.

Compatibility

Version 9.0.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	9.0.x, 9.1.x
CIM	4.20.2
Supported OS for data collection	All supported Unix operating systems. See Unix operating systems.
Vendor products	All supported Unix operating systems. See Unix operating systems.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 9.0.0 of the Splunk Add-on for Unix and Linux has the following new features:

Support for a new linux OS, SUSE Linux Enterprise Server version 15SP5.

Bug fixes

Fixed extraction of src_ip field for linux_secure source_type.
Fixed breaking of field values, column values have whitespace for userswithloginprivs sourcetype.
Fixed issue where the user was getting redirected to the add-on setup page while editing Knowledge Objects on the Splunk Cloud Platform. Users will now be able to edit the Knowledge Objects on the Splunk Cloud Platform after selecting Click me! on the add-on setup page.
Fixed column truncating issue for lsof and openPortsEnhanced scripted input by adding "+c 0" in lsof command.

Fixed issues

Version 9.0.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Known issues

Version 9.0.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.10.0

Version 8.10.0 of the Splunk Add-on for Unix and Linux was released on June 14, 2023.

Compatibility

Version 8.10.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	8.1.x, 8.2.x, 9.0.x
CIM	4.20.2
Supported OS for data collection	All supported Unix operating systems. See Unix operating systems.
Vendor products	All supported Unix operating systems. See Unix operating systems.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.10.0 of the Splunk Add-on for Unix and Linux has the following new features:

Support for AIX 7.3 and RHEL 9.2.
Added a new dimension, IPv6_address, to the interfaces_metric, df_metric and ps_metric source types which contains the global IPv6 information of the monitored host.

Fixed issues

Version 8.10.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Known issues

Version 8.10.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Date filed	Issue number	Description
2022-06-24	ADDON-53138	cpu, cpu_metric scripts report higher CPU usage than the actual usage on Splunk 9.x
2022-03-14	ADDON-49319	seekptr checksum errors seen while trying to monitor /etc folder
2022-03-09	ADDON-49067	Update.sh is throwing a few permission errors before the output in RHEL in LPM
2021-01-20	ADDON-33139	Input netstat.sh and openPorts.sh gives error in splunkd.log when add-on is installed on macOS v10.15.7
2020-04-24	ADDON-26293	Field values gets broke when values has space for 'lsof' and 'userswithloginprivs' source types
2020-04-24	ADDON-26292	Additional error of broken pipe is getting logged under splunkd.log along with correct data for cpu.sh on Solaris OS
2020-04-20	ADDON-26131, ADDON-33138	Input protocol.sh gives error in splunkd.log when add-on is installed on macOS

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.9.0

Version 8.9.0 of the Splunk Add-on for Unix and Linux was released on April 17, 2023.

Compatibility

Version 8.9.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	8.1.x, 8.2.x, 9.0.x
CIM	4.20.2
Supported OS for data collection	All supported Unix operating systems. See Unix operating systems.
Vendor products	All supported Unix operating systems. See Unix operating systems.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.9.0 of the Splunk Add-on for Unix and Linux has the following new features:

Support for MacOS 13.2.
Enhanced cpu and cpu_metric.sh script for AIX to incorporate new fields.
Enhanced cpu and cpu_metric.sh script for AIX such that it can be run by users without root access.

Fixed issues

Version 8.9.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Known issues

Version 8.9.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.8.0

Version 8.8.0 of the Splunk Add-on for Unix and Linux was released on January 24, 2023.

Compatibility

Version 8.8.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	8.1.x, 8.2.x, 9.0.0
CIM	4.20.2
Supported OS for data collection	All supported Unix operating systems. See Unix operating systems.
Vendor products	All supported Unix operating systems. See Unix operating systems.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.8.0 of the Splunk Add-on for Unix and Linux has the following new features:

Support for RHEL v8.7 and FreeBSD v13.1.
Limited the broader eventtypes of the add-on to match only relevant events collected by the add-on. For more information, see Upgrade the Splunk Add-on for Unix and Linux.

Fixed issues

Version 8.8.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Known issues

Version 8.8.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.7.0

Version 8.7.0 of the Splunk Add-on for Unix and Linux was released on July 26, 2022.

Compatibility

Version 8.7.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	8.1.x, 8.2.x, 9.0.0
CIM	4.20.2
Supported OS for data collection	All supported Unix operating systems. See Unix operating systems.
Vendor products	All supported Unix operating systems. See Unix operating systems.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.7.0 of the Splunk Add-on for Unix and Linux has the following new features:

Enhanced df, interfaces and ps scripts to make the add-on more robust and efficient across various operating systems.
Support for RHEL v8.6 and RHEL v9.
Breaking Change: For ps and ps_metric scripts, ELAPSED and PSR were removed from kernel outputs except for AIX and SunOS as part of v8.7.0.

For more information on the enhanced scripts, see the Reference Section.

Bug fixes

Fixed the issue where events were breaking when forwarded from UF via the httpout method.
Fixed the issue where package.sh throws awk regular expression syntax error.
Fixed the issue where df_metric.sh script gave erroneous output when a hyphen character '-' is present in the IUse% field.

Fixed issues

Version 8.7.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Known issues

Version 8.7.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.6.0

Version 8.6.0 of the Splunk Add-on for Unix and Linux was released on July 1, 2022.

Compatibility

Version 8.6.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	8.1.x, 8.2.x, 9.0.0
CIM	4.20.2
Supported OS for data collection	All supported Unix operating systems. See Unix operating systems.
Vendor products	All supported Unix operating systems. See Unix operating systems.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.6.0 of the Splunk Add-on for Unix and Linux has the following new features:

Enhanced iostat scripts to make the add-on more robust and efficient across various operating systems.
Support for cpu.sh and cpu_metric.sh script on macOS > v10.11.
Support for update.sh script on Ubuntu OS.
Support for Ubuntu OS v22.04.
Support for macOS v12.4.

For more information on the enhanced iostat scripts, see the Reference Section.

Bug fixes

Fixed the issue with df.sh not extracting type field correctly on AIX operating systems when file systems names are long.
Removed extractions for deprecated fs_notification sourcetype.
Fixed the issue with df_metric.sh not generating output as expected when the output of command misses certain fields or contains an empty row.
Renamed setup.env_cloud.xml to ta_nix_configuration.env_cloud.xml to avoid errors on Splunk Cloud while updating permissions.
Fixed the issue with hardware.sh displaying errors when there are disks with no volume groups attached on AIX operating systems.
Fixed the issue with the hardware.sh displaying errors when there are disks part of an inactive volume group on AIX operating systems.

Fixed issues

Version 8.6.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Known issues

Version 8.6.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.5.0

Version 8.5.0 of the Splunk Add-on for Unix and Linux was released on April 21, 2022.

Compatibility

Version 8.5.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	8.1.x, 8.2.x
CIM	4.20.2
Supported OS for data collection	All supported Unix operating systems. See Unix operating systems.
Vendor products	All supported Unix operating systems. See Unix operating systems.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.5.0 of the Splunk Add-on for Unix and Linux has the following new features:

Support for Least Privilege Mode functionality of the Splunk Universal Forwarder
Support for the latest flavors of Unix/Linux (RHEL 8.5 and MacOS 12.2)
Updated the logic in 'iostat.sh' and 'iostat_metric.sh' scripts to calculate 'avgWaitMillis' when 'await' is missing from the output of the raw command
Added 6 new fields in 'iostat.sh' and 'iostat_metric.sh' for Linux kernels:
- rAvgWaitMillis (Read request processing wait time)
- wAvgWaitMillis (Write request processing completion wait time)
- rrqmPct (The percentage of read requests merged together before being sent to the device)
- wrqmPct (The percentage of write requests merged together before being sent to the device)
- rAvgReqSZkb (Average read request size in KB)
- wAvgReqSZkb (Average write request size in KB)

Bug fixes

Fixed output of nfsiostat.sh script for Ubuntu 20.04

Fixed issues

Version 8.5.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Known issues

Version 8.5.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.4.0

Version 8.4.0 of the Splunk Add-on for Unix and Linux was released on December 07, 2021.

Compatibility

Version 8.4.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	8.1.x, 8.2.x
CIM	4.20.2
Supported OS for data collection	All supported Unix operating systems. See Unix operating systems.
Vendor products	All supported Unix operating systems. See Unix operating systems.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.4.0 of the Splunk Add-on for Unix and Linux has the following new features:

Support for the latest vendor products of Nix (RHEL 8.4, Ubuntu 21.04, FreeBSD 13, and macOS 11.6)
Support for INode fields of all the OSs in the 'df' and 'df_metric' scripts' output
Support for the latest CIM version (4.20.2)
Added 'user_name' and 'src_user_name' fields to the 'linux_secure' and 'linux_audit' sourcetypes
Reinstated the 'process' tag for the 'top' and 'ps' eventtypes

Bug fixes

Fixed the normalisation issue for the 'pctCPU' and 'pctMEM' fields when value is either <0 or >100 in output of 'ps' and 'ps_metric' scripts.
Fixed the issue in 'iostat' and 'iostat_metric' scripts to support the latest version of the sysstat package.
Fixed the field extraction where the value of the 'user' was truncated when it contained special characters for the 'aix_secure', 'osx_secure', linux_secure', and 'syslog' sourcetypes.
Fixed the 'df' and 'df_metric' scripts for the incorrect data when mount point has a space character for Linux kernel OSs.
Fixed the 'rlog' script to remove the unwanted error in the splunkd logs when no new data is available.
Fixed the 'interfaces' and 'interfaces_metric' scripts to remove the warning of awk regular expression syntax.

Fixed issues

Version 8.4.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Known issues

Version 8.4.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Date filed	Issue number	Description
2022-03-14	ADDON-49319	seekptr checksum errors seen while trying to monitor /etc folder
2022-03-09	ADDON-49067	Update.sh is throwing a few permission errors before the output in RHEL in LPM
2021-01-20	ADDON-33139	Input netstat.sh and openPorts.sh gives error in splunkd.log when add-on is installed on macOS v10.15.7
2020-06-18	ADDON-27321	nfsiostat.sh fails with ImportError: This package should not be accessible on Python 3
2020-04-24	ADDON-26293	Field values gets broke when values has space for 'lsof' and 'userswithloginprivs' source types
2020-04-24	ADDON-26292	Additional error of broken pipe is getting logged under splunkd.log along with correct data for cpu.sh on Solaris OS
2020-04-20	ADDON-26131, ADDON-33138	Input protocol.sh gives error in splunkd.log when add-on is installed on macOS

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.3.1

Version 8.3.1 of the Splunk Add-on for Unix and Linux was released on July 26, 2021.

Compatibility

Version 8.3.1 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	8.0.x, 8.1.x, 8.2.x
CIM	4.18
Supported OS for data collection	All supported Unix operating systems. See Unix operating systems.
Vendor products	All supported Unix operating systems. See Unix operating systems.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.3.1 of the Splunk Add-on for Unix and Linux has the following new features:

Updated the setup page of the add-on to make it compatible with jQuery3.

Fixed issues

Version 8.3.1 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Known issues

Version 8.3.1 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Date filed	Issue number	Description
2022-06-24	ADDON-53138	cpu, cpu_metric scripts report higher CPU usage than the actual usage on Splunk 9.x
2021-01-20	ADDON-33139	Input netstat.sh and openPorts.sh gives error in splunkd.log when add-on is installed on macOS v10.15.7
2020-06-18	ADDON-27321	nfsiostat.sh fails with ImportError: This package should not be accessible on Python 3
2020-04-24	ADDON-26293	Field values gets broke when values has space for 'lsof' and 'userswithloginprivs' source types
2020-04-24	ADDON-26292	Additional error of broken pipe is getting logged under splunkd.log along with correct data for cpu.sh on Solaris OS
2020-04-20	ADDON-26130	When there is no new data available to be ingested in audit.log, rlog.sh script throws error in splunkd.log
2020-04-20	ADDON-26131, ADDON-33138	Input protocol.sh gives error in splunkd.log when add-on is installed on macOS

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.3.0

Version 8.3.0 of the Splunk Add-on for Unix and Linux was released. on February 3, 2021.

Compatibility

Version 8.3.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	7.2.x, 7.3.x, 8.0.x, 8.1.x
CIM	4.18
Supported OS for data collection	All supported Unix operating systems. See Unix operating systems.
Vendor products	All supported Unix operating systems. See Unix operating systems.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.3.0 of the Splunk Add-on for Unix and Linux has the following new features:

Support of CentOS 8, RHEL 8.3, Solaris 11.4, Ubuntu 20.10, FreeBSD 12.2, macOS 10.15
Common Information Model (CIM) version 4.18 compatibility
Enhanced CIM mappings and extractions for 'linux_secure' and 'aix_secure' sourcetypes
Enhanced CIM mappings and extractions for 'dhcpd' sourcetype
Mapped Endpoint.FileSystem data model to 'fs_notification' sourcetype
Mapped Performance.CPU data model to 'ps' sourcetype
Mapped Perfomance.Storage data model to 'nfsiostat' sourcetype
Mapped Endpoint.Ports data model to 'netstat' sourcetype
Removed DM mappings from 'top' and 'Unix:ListeningPorts' sourcetypes
Added the reason CIM field for the 'Authentication.Failed_Authentication' data model

Fixed issues

Version 8.3.0 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Date resolved	Issue number	Description
2021-01-28	ADDON-31685	The 'top.sh' script that Splunk_TA_nix app uses does not correctly extract the fields of the 'top' linux command in FreeBSD

Known issues

Version 8.3.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Date filed	Issue number	Description
2021-01-20	ADDON-33139	Input netstat.sh and openPorts.sh gives error in splunkd.log when add-on is installed on macOS v10.15.7
2020-06-18	ADDON-27321	nfsiostat.sh fails with ImportError: This package should not be accessible on Python 3
2020-04-24	ADDON-26293	Field values gets broke when values has space for 'lsof' and 'userswithloginprivs' source types
2020-04-24	ADDON-26292	Additional error of broken pipe is getting logged under splunkd.log along with correct data for cpu.sh on Solaris OS
2020-04-20	ADDON-26130	When there is no new data available to be ingested in audit.log, rlog.sh script throws error in splunkd.log
2020-04-20	ADDON-26131, ADDON-33138	Input protocol.sh gives error in splunkd.log when add-on is installed on macOS

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.2.0

Version 8.2.0 of the Splunk Add-on for Unix and Linux was released on September 21, 2020.

Compatibility

Version 8.2.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM	4.16
Supported OS for data collection	All supported Unix operating systems. See Unix operating systems.
Vendor products	All supported Unix operating systems. See Unix operating systems.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.2.0 of the Splunk Add-on for Unix and Linux has the following new features:

Updated and added new CIM field compatibility for various sourcetypes.
Removed deprecated CIM models and upgraded to new CIM models.

Fixed issues

Version 8.2.0 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Date resolved	Issue number	Description
2020-08-18	ADDON-27953	Metric scripts produce error if there are spaces in the OSName variable

Known issues

Version 8.2.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Date filed	Issue number	Description
2020-12-04	ADDON-31685	The 'top.sh' script that Splunk_TA_nix app uses does not correctly extract the fields of the 'top' linux command in FreeBSD Workaround: Amended script under "elif [ "x$KERNEL" = "xFreeBSD" ] ; then" from: FORMAT_DOMAIN='{pr=$4; ni=$5; virt=$6; res=$7; stateRaw=$8; cpuTIME=$9; pctCPU=0+$10; command=$11}' to FORMAT_DOMAIN='{pr=$4; ni=$5; virt=$6; res=$7; stateRaw=$8; cpuTIME=$10; pctCPU=$11; command=$12}' This aligns the columns correctly.
2020-06-18	ADDON-27321	nfsiostat.sh fails with ImportError: This package should not be accessible on Python 3
2020-04-24	ADDON-26293	Field values gets broke when values has space for 'lsof' and 'userswithloginprivs' source types
2020-04-24	ADDON-26292	Additional error of broken pipe is getting logged under splunkd.log along with correct data for cpu.sh on Solaris OS
2020-04-20	ADDON-26130	When there is no new data available to be ingested in audit.log, rlog.sh script throws error in splunkd.log
2020-04-20	ADDON-26131, ADDON-33138	Input protocol.sh gives error in splunkd.log when add-on is installed on macOS

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.1.0

Version 8.1.0 of the Splunk Add-on for Unix and Linux was released on June 24, 2020.

Compatibility

Version 8.1.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM	4.15
Supported OS for data collection	All supported Unix operating systems. See Unix operating systems.
Vendor products	All supported Unix operating systems. See Unix operating systems.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

New features

Version 8.1.0 of the Splunk Add-on for Unix and Linux has the following new features:

Support for the metrics index for collecting statistical information of cpu, df, iostat, interfaces, vmstat, and ps sources.
Additional support of the chrony command to get time-service information.

Fixed issues

Version 8.1.0 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Date resolved	Issue number	Description
2020-06-16	ADDON-26155	Header data is also getting indexed as an event for "interfaces", "lastlog", "who" and "top" sourcetypes
2020-06-16	ADDON-16732	Script crashing, needs to be updated since ntpdate is deprecated
2020-06-02	ADDON-21184	service.sh outputs time as a service
2020-05-27	ADDON-26291	Fields are not getting extracted for 'auditd', 'lastlog' and 'netstat' Source type

Known issues

Version 8.1.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Date filed	Issue number	Description
2020-07-27	ADDON-27953	Metric scripts produce error if there are spaces in the OSName variable
2020-06-18	ADDON-27321	nfsiostat.sh fails with ImportError: This package should not be accessible on Python 3
2020-04-24	ADDON-26292	Additional error of broken pipe is getting logged under splunkd.log along with correct data for cpu.sh on Solaris OS
2020-04-24	ADDON-26293	Field values gets broke when values has space for 'lsof' and 'userswithloginprivs' source types
2020-04-20	ADDON-26130	When there is no new data available to be ingested in audit.log, rlog.sh script throws error in splunkd.log
2020-04-20	ADDON-26131, ADDON-33138	Input protocol.sh gives error in splunkd.log when add-on is installed on macOS

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.0.0

Version 8.0.0 of the Splunk Add-on for Unix and Linux was released on April 28, 2020.

Compatibility

Version 8.0.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM	4.15
Supported OS for data collection	All supported Unix operating systems. See Unix operating systems.
Vendor products	All supported Unix operating systems. See Unix operating systems.

Script compatibility

Script	CentOS		RHEL			Ubuntu		Solaris			AIX		FreeBSD			FreeNAS	Mac OS X
Script	6	7	6.9	7.4	8.0	14.04	16.04	10	11.3	11.0	7.1	7.2	9	10	11	11.3U1¹³	10.11	10.12
`bandwidth.sh`	Y	Y	Y	Y	Y	Y	Y	Y¹	Y²	Y	Y	Y	N³	N³	N³	N³	Y	N³
`common.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`cpu.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N³
`df.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`hardware.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`interfaces.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`iostat.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N⁴	N⁴
`lastlog.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N	N	Y	Y	Y	Y	Y	Y
`lsof.sh`	Y¹⁴	Y¹⁴	Y¹⁴	Y¹⁴	Y¹⁴	Y¹⁴	Y¹⁴	N	N	N	N	N	N	Y¹⁴	Y¹⁴	Y¹⁴	Y¹⁴	Y¹⁴
`netstat.sh`	Y	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N	Y	N	N
`nfsiostat.sh`¹²	Y	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N	N	N	N
`openPorts.sh`	Y⁵	Y⁵	Y⁵	Y⁵	Y⁵	Y	Y	Y⁵	Y⁵	Y⁵	Y	Y	Y	Y	Y	Y	Y	Y
`openPortsEnhanced.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	Y	Y
`package.sh`	Y¹⁴	Y¹⁴	Y¹⁴	Y¹⁴	Y¹⁴	Y¹⁴	Y¹⁴	Y¹⁴	Y¹⁴	Y¹⁴	Y¹⁴	Y¹⁴	Y¹⁴	Y^{6, 14, 16}	Y^{6, 14, 16}	Y^{14, 16}	Y¹⁴	Y¹⁴
`passwd.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`protocol.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`ps.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y⁷	Y⁷	Y⁷	Y	Y	Y
`rlog.sh`	Y	Y⁸	Y	Y⁸	Y⁸	Y⁹	Y	N	N	N	N	N	N	N	N	N	N	N
`selinuxChecker.sh`	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N	N	N	N	N
`service.sh`	Y	Y	Y	Y	Y	N¹⁰	Y	Y	Y	Y	N	N	N	N	N	N	Y	Y
`sshdChecker.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N
`time.sh`	Y¹¹	Y¹¹	Y	Y	Y¹¹	Y	Y	Y	Y	Y	Y	Y¹¹	Y	Y	Y	Y	Y	Y
`top.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`update.sh`	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N	N	N	N	Y	Y
`uptime.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`usersWithLoginPrivs.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`version.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`vmstat.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N
`vsftpdChecker.sh`	Y¹⁵	Y¹⁵	Y¹⁵	Y¹⁵	Y¹⁵	Y¹⁵	Y¹⁵	Y¹⁵	Y¹⁵	Y¹⁵	Y¹⁵	Y¹⁵	Y¹⁵	Y¹⁵	Y¹⁵	N	Y¹⁵	Y¹⁵
`who.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y

Notes

Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to <n/a> because netstat on Solaris 10 and 11 does not provide this information.
Supported, requires dlstat.
Not supported, sar is not available.
Not supported, /bin/darwin_disk_stats is not available.
Supported, script indexes Header information as an extra event.
Supported. pkg_info is deprecated, and pkg info is being used.
Supported, COMMAND field value is truncated.
Supported, error log messages are included. Not supported for RHEL/CentOS version 7.3.
Supported, requires ausearch.
Not supported, chkconfig is not available.
Supported, requires ntpdate or chrony for RHEL version 8.
Supported with only Linux OS configurations, requires the nfs-utils package.
Only FreeNAS 11.3U1 is supported.
Bash shell is required to run the script. Install the bash package for the input.
Requires vsftpd package.
Data for Name, Version and Architecture of the package will be ingested by the Splunk software.

New features

Version 8.0.0 of the Splunk Add-on for Unix and Linux has the following new features:

Common Information Model (CIM) version 4.15 compatibility.
Support for RHEL version 8.0
Increased ps.sh COMMAND field width to accommodate long values.
Ability to capture sshd-authentication events that do not have from in the event
Support for FreeNAS version 11.3U1.

Fixed issues

Version 8.0.0 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Date resolved	Issue number	Description
2020-04-16	ADDON-17763	Getting error log message into SplunkD for rlog.sh script execution for CentOS 7 and RHEL 7.4
2020-04-16	ADDON-17607	openPorts.sh script indexed "Header" information into Splunk as an extra event.
2020-04-16	ADDON-21209	'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations
2020-03-31	ADDON-21887	cpu.sh and vmstat.sh return aggregate results for SunOS as opposed to snapshot
2019-12-11	ADDON-23937	interfaces script throwing error when touching disabled and not configured interfaces - familysearch.splunkcloud.com
2019-12-09	ADDON-23292, ADDON-16135	Search Job Alerts for Splunk defined eventtype

Known issues

Version 8.0.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Date filed	Issue number	Description
2024-03-19	ADDON-69658, SPL-242510	cpu.sh shows momentary spikes of higher utilization when invoked compared to previous major version of Splunk
2020-06-18	ADDON-27321	nfsiostat.sh fails with ImportError: This package should not be accessible on Python 3
2020-04-24	ADDON-26293	Field values gets broke when values has space for 'lsof' and 'userswithloginprivs' source types
2020-04-24	ADDON-26292	Additional error of broken pipe is getting logged under splunkd.log along with correct data for cpu.sh on Solaris OS
2020-04-24	ADDON-26291	Fields are not getting extracted for 'auditd', 'lastlog' and 'netstat' Source type
2020-04-21	ADDON-26155	Header data is also getting indexed as an event for "interfaces", "lastlog", "who" and "top" sourcetypes
2020-04-20	ADDON-26130	When there is no new data available to be ingested in audit.log, rlog.sh script throws error in splunkd.log
2020-04-20	ADDON-26131, ADDON-33138	Input protocol.sh gives error in splunkd.log when add-on is installed on macOS
2019-01-31	ADDON-21184	service.sh outputs time as a service
2018-04-18	ADDON-17753	Truncation of COMMAND field value in UI of FreeBSD 9,10 and 11 version
2018-03-27	ADDON-17560	Data is not getting indexed for service.sh in Ubuntu 14.04

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 7.0.1

Version 7.0.1 of the Splunk Add-on for Unix and Linux was released on March 14, 2020.

Compatibility

Version 7.0.1 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0
CIM	4.12
Supported OS for data collection	All supported Unix operating systems. See Unix operating systems.
Vendor products	All supported Unix operating systems. See Unix operating systems.

Script compatibility

Script	CentOS		RHEL		Ubuntu		Solaris			AIX		FreeBSD			Mac OS X
Script	6	7	7.4	6.9	14.04	16.04	10	11.3	11.0	7.1	7.2	9	10	11	10.11	10.12
`bandwidth.sh`	Y	Y	Y	Y	Y	Y	Y¹	Y²	Y	Y	Y	N³	N³	N³	Y	N³
`common.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`cpu.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N³
`df.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`hardware.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`interfaces.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`iostat.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N⁴	N⁴
`lastlog.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	N	N	Y	Y	Y	Y	Y
`lsof.sh`	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N	Y	Y
`netstat.sh`	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N	N	N
`nfsiostat.sh`¹²	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N	N	N
`openPorts.sh`	Y⁵	Y⁵	Y⁵	Y⁵	Y	Y	Y⁵	Y⁵	Y⁵	Y	Y	Y	Y	Y	Y	Y
`openPortsEnhanced.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	N	N	N	N	N	Y	Y
`package.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N⁶	N⁶	Y	Y
`passwd.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`protocol.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`ps.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y⁷	Y⁷	Y⁷	Y	Y
`rlog.sh`	Y	Y⁸	Y⁸	Y	Y⁹	Y	N	N	N	N	N	N	N	N	N	N
`selinuxChecker.sh`	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N	N	N	N
`service.sh`	Y	Y	Y	Y	N¹⁰	Y	Y	Y	Y	N	N	N	N	N	Y	Y
`sshdChecker.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	N
`time.sh`	Y¹¹	Y¹¹	Y	Y	Y	Y	Y	Y	Y	Y	Y¹¹	Y	Y	Y	Y	Y
`top.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`update.sh`	Y	Y	Y	Y	N	N	N	N	N	N	N	N	N	N	Y	Y
`uptime.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`usersWithoginPrivs.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`version.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`vmstat.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N
`vsfptdChecker.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`who.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y

Notes

Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to <n/a> because netstat on Solaris 10 and 11 does not provide this information.
Supported, requires dlstat.
Not supported, sar is not available.
Not supported, /bin/darwin_disk_stats is not available.
Supported, script indexes Header information as an extra event.
Not supported, pkg_info is deprecated.
Supported, COMMAND field value is truncated.
Supported, error log messages are included.
Supported, requires ausearch.
Not supported, chkconfig is not available.
Supported, requires ntpdate.
Supported with only Linux OS configurations, requires the nfs-utils package.

Upgrade

Users upgrading to the Splunk Add-on for Unix and Linux version 7.0 or later from version 5.2.4 or earlier must follow prerequisite upgrade steps before performing the installation. See Upgrade the Splunk Add-on for Unix and Linux.

New features

Version 7.0.1 of the Splunk Add-on for Unix and Linux has the following new features:

Default support for Python3

Fixed issues

Version 7.0.1 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Date resolved	Issue number	Description
2019-09-26	ADDON-21212	interfaces script throwing error when touching disabled and not configured interfaces.

Known issues

Version 7.0.1 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Date filed	Issue number	Description
2020-04-24	ADDON-26293	Field values gets broke when values has space for 'lsof' and 'userswithloginprivs' source types
2020-04-24	ADDON-26292	Additional error of broken pipe is getting logged under splunkd.log along with correct data for cpu.sh on Solaris OS
2020-04-24	ADDON-26291	Fields are not getting extracted for 'auditd', 'lastlog' and 'netstat' Source type
2019-10-23	ADDON-24037	interfaces.sh script doesnot work with "ifconfig" command Workaround: If the system doesn't "ip" command and contains only "ifconfig" command, the interfaces.sh script may return incorrect results. In such cases, change CMD_LIST_INTERFACES to CMD_LIST_UP_INTERFACES in line 28. So the code look like: """ CMD_LIST_UP_INTERFACES ="eval ifconfig \| tee $TEE_DEST \| grep 'Link encap:\\|mtu' \| grep -Ev lo \| tee -a $TEE_DEST \| cut -d' ' -f1 \| cut -d':' -f1 \| tee -a $TEE_DEST \| sort -u \| tee -a $TEE_DEST" """
2019-02-05	ADDON-21209	'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations
2019-01-31	ADDON-21184	service.sh outputs time as a service
2018-04-18	ADDON-17753	Truncation of COMMAND field value in UI of FreeBSD 9,10 and 11 version
2018-04-03	ADDON-17607	openPorts.sh script indexed "Header" information into Splunk as an extra event.

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 7.0

Version 7.0 of the Splunk Add-on for Unix and Linux was released on October 21, 2019.

Compatibility

Version 7.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0
CIM	4.12
Supported OS for data collection	All supported Unix operating systems. See Unix operating systems.
Vendor products	All supported Unix operating systems. See Unix operating systems.

Script compatibility

Script	CentOS		RHEL		Ubuntu		Solaris			AIX		FreeBSD			Mac OS X
Script	6	7	7.4	6.9	14.04	16.04	10	11.3	11.0	7.1	7.2	9	10	11	10.11	10.12
`bandwidth.sh`	Y	Y	Y	Y	Y	Y	Y¹	Y²	Y	Y	Y	N³	N³	N³	Y	N³
`common.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`cpu.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N³
`df.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`hardware.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`interfaces.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`iostat.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N⁴	N⁴
`lastlog.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	N	N	Y	Y	Y	Y	Y
`lsof.sh`	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N	Y	Y
`netstat.sh`	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N	N	N
`nfsiostat.sh`¹²	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N	N	N
`openPorts.sh`	Y⁵	Y⁵	Y⁵	Y⁵	Y	Y	Y⁵	Y⁵	Y⁵	Y	Y	Y	Y	Y	Y	Y
`openPortsEnhanced.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	N	N	N	N	N	Y	Y
`package.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N⁶	N⁶	Y	Y
`passwd.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`protocol.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`ps.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y⁷	Y⁷	Y⁷	Y	Y
`rlog.sh`	Y	Y⁸	Y⁸	Y	Y⁹	Y	N	N	N	N	N	N	N	N	N	N
`selinuxChecker.sh`	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N	N	N	N
`service.sh`	Y	Y	Y	Y	N¹⁰	Y	Y	Y	Y	N	N	N	N	N	Y	Y
`sshdChecker.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	N
`time.sh`	Y¹¹	Y¹¹	Y	Y	Y	Y	Y	Y	Y	Y	Y¹¹	Y	Y	Y	Y	Y
`top.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`update.sh`	Y	Y	Y	Y	N	N	N	N	N	N	N	N	N	N	Y	Y
`uptime.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`usersWithoginPrivs.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`version.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`vmstat.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N
`vsfptdChecker.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`who.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y

Notes

Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to <n/a> because netstat on Solaris 10 and 11 does not provide this information.
Supported, requires dlstat.
Not supported, sar is not available.
Not supported, /bin/darwin_disk_stats is not available.
Supported, script indexes Header information as an extra event.
Not supported, pkg_info is deprecated.
Supported, COMMAND field value is truncated.
Supported, error log messages are included.
Supported, requires ausearch.
Not supported, chkconfig is not available.
Supported, requires ntpdate.
Supported with only Linux OS configurations, requires the nfs-utils package.

Upgrade

Users upgrading to the Splunk Add-on for Unix and Linux version 7.0 from version 5.2.4 or earlier must follow prerequisite upgrade steps before performing the installation. See Upgrade the Splunk Add-on for Unix and Linux.

New features

Version 7.0 of the Splunk Add-on for Unix and Linux has the following new features:

Support for Python3

Fixed issues

Version 7.0 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Date resolved	Issue number	Description
2019-09-26	ADDON-21212	interfaces script throwing error when touching disabled and not configured interfaces.

Known issues

Version 7.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Date filed	Issue number	Description
2020-04-24	ADDON-26293	Field values gets broke when values has space for 'lsof' and 'userswithloginprivs' source types
2020-04-24	ADDON-26292	Additional error of broken pipe is getting logged under splunkd.log along with correct data for cpu.sh on Solaris OS
2020-04-24	ADDON-26291	Fields are not getting extracted for 'auditd', 'lastlog' and 'netstat' Source type
2019-02-05	ADDON-21209	'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations
2019-01-31	ADDON-21184	service.sh outputs time as a service
2018-04-18	ADDON-17753	Truncation of COMMAND field value in UI of FreeBSD 9,10 and 11 version
2018-04-03	ADDON-17607	openPorts.sh script indexed "Header" information into Splunk as an extra event.

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 6.0.2

Version 6.0.2 of the Splunk Add-on for Unix and Linux was released on February 18, 2019.

The Splunk Add-on for Unix and Linux 6.0.0 introduced breaking changes. If you are upgrading from an earlier version of the Splunk Add-on for Unix and Linux, you must follow the steps outlined in Upgrade the Splunk Add-on for Unix and Linux. Failure to do so can result in data loss.

Compatibility

Version 6.0.2 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM	4.12
Supported OS for data collection	All supported Unix operating systems. See Unix operating systems.
Vendor products	All supported Unix operating systems. See Unix operating systems.

Script compatibility

Script	CentOS		RHEL		Ubuntu		Solaris			AIX		FreeBSD			Mac OS X
Script	6	7	7.4	6.9	14.04	16.04	10	11.3	11.0	7.1	7.2	9	10	11	10.11	10.12
`bandwidth.sh`	Y	Y	Y	Y	Y	Y	Y¹	Y²	Y	Y	Y	N³	N³	N³	Y	N³
`common.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`cpu.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N³
`df.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`hardware.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`interfaces.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`iostat.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N⁴	N⁴
`lastlog.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	N	N	Y	Y	Y	Y	Y
`lsof.sh`	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N	Y	Y
`netstat.sh`	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N	N	N
`nfsiostat.sh`¹²	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N	N	N
`openPorts.sh`	Y⁵	Y⁵	Y⁵	Y⁵	Y	Y	Y⁵	Y⁵	Y⁵	Y	Y	Y	Y	Y	Y	Y
`openPortsEnhanced.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	N	N	N	N	N	Y	Y
`package.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N⁶	N⁶	Y	Y
`passwd.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`protocol.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`ps.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y⁷	Y⁷	Y⁷	Y	Y
`rlog.sh`	Y	Y⁸	Y⁸	Y	Y⁹	Y	N	N	N	N	N	N	N	N	N	N
`selinuxChecker.sh`	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N	N	N	N
`service.sh`	Y	Y	Y	Y	N¹⁰	Y	Y	Y	Y	N	N	N	N	N	Y	Y
`sshdChecker.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	N
`time.sh`	Y¹¹	Y¹¹	Y	Y	Y	Y	Y	Y	Y	Y	Y¹¹	Y	Y	Y	Y	Y
`top.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`update.sh`	Y	Y	Y	Y	N	N	N	N	N	N	N	N	N	N	Y	Y
`uptime.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`usersWithoginPrivs.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`version.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`vmstat.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N
`vsfptdChecker.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`who.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y

Notes

Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to <n/a> because netstat on Solaris 10 and 11 does not provide this information.
Supported, requires dlstat.
Not supported, sar is not available.
Not supported, /bin/darwin_disk_stats is not available.
Supported, script indexes Header information as an extra event.
Not supported, pkg_info is deprecated.
Supported, COMMAND field value is truncated.
Supported, error log messages are included.
Supported, requires ausearch.
Not supported, chkconfig is not available.
Supported, requires ntpdate.
Supported with only Linux OS configurations, requires the nfs-utils package.

Upgrade

Users upgrading to the Splunk Add-on for Unix and Linux version 6.0.2 from version 5.2.4 or earlier must follow prerequisite upgrade steps before performing the installation. See Upgrade the Splunk Add-on for Unix and Linux.

New features

Version 6.0.2 of the Splunk Add-on for Unix and Linux has the following new features:

Improved load balancing on the universal forwarder.
Support of iostats for NFS mounts for Linux OS configurations.
Added KV_MODE = multi parameter in props.conf under package sourcetype stanza for search time extractions.
See Make CPU core statistics info in FreeBSD similar to other supported OS configurations.

Fixed issues

Version 6.0.2 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Date resolved	Issue number	Description
2019-02-04	ADDON-20084	For CIM All_Application_State model field service is labeled as "Unknown"
2019-01-17	ADDON-17448	CPU core is not properly indexed with Splunk_TA_nix with FreeBSD11 OS
2018-12-19	ADDON-17431	Eventtype unix_runlevel_change name mismatch in eventtypes.conf and tags.conf

Known issues

Version 6.0.1 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Date filed	Issue number	Description
2019-10-11	ADDON-23937	interfaces script throwing error when touching disabled and not configured interfaces - familysearch.splunkcloud.com
2019-09-12	ADDON-23292, ADDON-16135	Search Job Alerts for Splunk defined eventtype Workaround: None known
2019-02-05	ADDON-21209	'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations
2019-01-31	ADDON-21184	service.sh outputs time as a service
2018-04-19	ADDON-17763	Getting error log message into SplunkD for rlog.sh script execution for CentOS 7 and RHEL 7.4 Workaround: Replace if [ -n "`service auditd status`" -a "$?" -eq 0 ] ; then{code} in rlog.sh script with if [ -n "`service auditd status 2>/dev/null`" -a "$?" -eq 0 ] ; then{code}
2018-04-18	ADDON-17753	Truncation of COMMAND field value in UI of FreeBSD 9,10 and 11 version
2018-04-03	ADDON-17607	openPorts.sh script indexed "Header" information into Splunk as an extra event.
2018-03-27	ADDON-17560	Data is not getting indexed for service.sh in Ubuntu 14.04

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 6.0.1

Version 6.0.1 of the Splunk Add-on for Unix and Linux was released on September 20, 2018.

The Splunk Add-on for Unix and Linux 6.0.0 introduced breaking changes. If you are upgrading from an earlier version of the Splunk Add-on for Unix and Linux, you must follow the steps outlined in Upgrade the Splunk Add-on for Unix and Linux. Failure to do so can result in data loss.

Compatibility

Version 6.0.1 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions	6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM	4.11
Supported OS for data collection	All supported Unix operating systems. See Unix operating systems.
Vendor products	All supported Unix operating systems. See Unix operating systems.

Script compatibility

Script	CentOS		RHEL		Ubuntu		Solaris			AIX		FreeBSD			Mac OS X
Script	6	7	7.4	6.9	14.04	16.04	10	11.3	11.0	7.1	7.2	9	10	11	10.11	10.12
`bandwidth.sh`	Y	Y	Y	Y	Y	Y	Y¹	Y²	Y	Y	Y	N³	N³	N³	Y	N³
`common.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`cpu.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N³
`df.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`hardware.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`interfaces.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`iostat.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N⁴	N⁴
`lastlog.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	N	N	Y	Y	Y	Y	Y
`lsof.sh`	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N	Y	Y
`netstat.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`openPorts.sh`	Y⁵	Y⁵	Y⁵	Y⁵	Y	Y	Y⁵	Y⁵	Y⁵	Y	Y	Y	Y	Y	Y	Y
`openPortsEnhanced.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	N	N	N	N	N	Y	Y
`package.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N⁶	N⁶	Y	Y
`passwd.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`protocol.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`ps.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y⁷	Y⁷	Y⁷	Y	Y
`rlog.sh`	Y	Y⁸	Y⁸	Y	Y⁹	Y	N	N	N	N	N	N	N	N	N	N
`selinuxChecker.sh`	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N	N	N	N
`service.sh`	Y	Y	Y	Y	N¹⁰	Y	Y	Y	Y	N	N	N	N	N	Y	Y
`sshdChecker.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	N
`time.sh`	Y¹¹	Y¹¹	Y	Y	Y	Y	Y	Y	Y	Y	Y¹¹	Y	Y	Y	Y	Y
`top.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`update.sh`	Y	Y	Y	Y	N	N	N	N	N	N	N	N	N	N	Y	Y
`uptime.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`usersWithoginPrivs.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`version.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`vmstat.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N
`vsfptdChecker.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`who.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y

Notes

Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to <n/a> because netstat on Solaris 10 and 11 does not provide this information.
Supported, requires dlstat.
Not supported, sar is not available.
Not supported, /bin/darwin_disk_stats is not available.
Supported, script indexes Header information as an extra event.
Not supported, pkg_info is deprecated.
Supported, COMMAND field value is truncated.
Supported, error log messages are included.
Supported, requires ausearch.
Not supported, chkconfig is not available.
Supported, requires ntpdate.

Upgrade

Users upgrading to the Splunk Add-on for Unix and Linux version 6.0.1 from version 5.2.4 or earlier must follow prerequisite upgrade steps before performing the installation. See Upgrade the Splunk Add-on for Unix and Linux.

New features

The Splunk Add-on for Unix and Linux version 6.0.1 has the following new features:

Supported extraction for the cpu_instance field. Earlier versions extracted only cpu=all. Version 6.0.1 can extract field values for individual core numbers in addition to cpu=all.
Supported extraction for the mem_page_in and mem_page_out field
Supported extraction for the swap_percent field
Supported extraction for the cpu_architecture field

Fixed issues

Version 6.0.1 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Date resolved	Issue number	Description
2018-09-05	ADDON-19194	Incorrect value in swapUsedPct field in FreeBSD os
2018-09-04	ADDON-18051	Extract cpu_instance field (ITSI OS Module requirement)
2018-09-02	ADDON-18093	Extract field swap_percent (ITSI OS Module requirement)
2018-08-30	ADDON-18095	Extract fields mem_page_in and mem_page_out (ITSI OS Module requirement)
2018-08-27	ADDON-18042	Extract cpu_architecture field (ITSI OS Module requirement)

Known issues

Version 6.0.1 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Date filed	Issue number	Description
2019-02-05	ADDON-21209	'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations
2019-01-31	ADDON-21184	service.sh outputs time as a service
2018-10-24	ADDON-20084	For CIM All_Application_State model field service is labeled as "Unknown"
2018-04-19	ADDON-17763	Getting error log message into SplunkD for rlog.sh script execution for CentOS 7 and RHEL 7.4 Workaround: Replace if [ -n "`service auditd status`" -a "$?" -eq 0 ] ; then{code} in rlog.sh script with if [ -n "`service auditd status 2>/dev/null`" -a "$?" -eq 0 ] ; then{code}
2018-04-18	ADDON-17753	Truncation of COMMAND field value in UI of FreeBSD 9,10 and 11 version
2018-04-03	ADDON-17607	openPorts.sh script indexed "Header" information into Splunk as an extra event.

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 6.0.0

Version 6.0.0 of the Splunk Add-on for Unix and Linux was released on June 21, 2018.

The Splunk Add-on for Unix and Linux 6.0.0 introduces breaking changes. If you are upgrading from a previous version of the Splunk Add-on for Unix and Linux, you must follow the steps outlined in Upgrade the Splunk Add-on for Unix and Linux. Failure to do so can result in data loss.

Compatibility

Version 6.0.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	6.5.x, 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM	4.11
Supported OS for data collection	All supported Unix operating systems. See Unix operating systems.
Vendor products	All supported Unix operating systems. See Unix operating systems.

Script compatibility

Script	CentOS		RHEL		Ubuntu		Solaris			AIX		FreeBSD			Mac OS X
Script	6	7	7.4	6.9	14.04	16.04	10	11.3	11.0	7.1	7.2	9	10	11	10.11	10.12
`bandwidth.sh`	Y	Y	Y	Y	Y	Y	Y¹	Y²	Y	Y	Y	N³	N³	N³	Y	N³
`common.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`cpu.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N³
`df.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`hardware.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`interfaces.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`iostat.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N⁴	N⁴
`lastlog.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	N	N	Y	Y	Y	Y	Y
`lsof.sh`	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N	Y	Y
`netstat.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`openPorts.sh`	Y⁵	Y⁵	Y⁵	Y⁵	Y	Y	Y⁵	Y⁵	Y⁵	Y	Y	Y	Y	Y	Y	Y
`openPortsEnhanced.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	N	N	N	N	N	Y	Y
`package.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N⁶	N⁶	Y	Y
`passwd.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`protocol.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`ps.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y⁷	Y⁷	Y⁷	Y	Y
`rlog.sh`	Y	Y⁸	Y⁸	Y	Y⁹	Y	N	N	N	N	N	N	N	N	N	N
`selinuxChecker.sh`	Y	Y	Y	Y	Y	N	N	N	N	N	N	N	N	N	N	N
`service.sh`	Y	Y	Y	Y	N¹⁰	Y	Y	Y	Y	N	N	N	N	N	Y	Y
`sshdChecker.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	N	N	N	N	N	N	N
`time.sh`	Y¹¹	Y¹¹	Y	Y	Y	Y	Y	Y	Y	Y	Y¹¹	Y	Y	Y	Y	Y
`top.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`update.sh`	Y	Y	Y	Y	N	N	N	N	N	N	N	N	N	N	Y	Y
`uptime.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`usersWithoginPrivs.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`version.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`vmstat.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	N
`vsfptdChecker.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y
`who.sh`	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y	Y

Notes

Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to <n/a> because netstat on Solaris 10 and 11 does not provide this information.
Supported, requires dlstat.
Not supported, sar is not available.
Not supported, /bin/darwin_disk_stats is not available.
Supported, script indexes Header information as an extra event.
Not supported, pkg_info is deprecated.
Supported, COMMAND field value is truncated.
Supported, error log messages are included.
Supported, requires ausearch.
Not supported, chkconfig is not available.
Supported, requires ntpdate.

Upgrade

All users upgrading to the Splunk Add-on for Unix and Linux version 6.0.0 must follow the prerequisite upgrade steps before performing the installation. See Upgrade the Splunk Add-on for Unix and Linux.

New features

Version 6.0.0 of the Splunk Add-on for Unix and Linux contains the following new and changed features:

Added support for RedHat Enterprise Linux 7
Added support for Solaris 10 and Solaris 11
Linux scripts migrated from net-tools to iproute2 to support current Linux releases

Script updates

netstat.sh (sourcetype=netstat) is updated. The Proto field no longer contains the IP address type and the State field value is truncated.

Proto  Recv-Q  Send-Q  LocalAddress          ForeignAddress        State
tcp         0       0  127.0.0.1:53350       127.0.0.1:8191        ESTAB
tcp         0       0  127.0.0.1:8191        127.0.0.1:53324       ESTAB
tcp         0     128  :::22                 :::*                  LISTEN
tcp         0     100  ::1:25                :::*                  LISTEN

openPorts.sh (sourcetype=openPorts) is updated. The protocol field no longer contains the IP address type.
```
tcp 22
tcp 8089
tcp 25
tcp 8191
tcp 8000
tcp 8065
tcp 22
tcp 25
```

interfaces.sh (sourcetype=interfaces) is updated. The inetAddr field now contains the netmask.

Name  MAC                inetAddr       inet6Addr                    Collisions  RXbytes    RXerrors  TXbytes  TXerrors  Speed      Duplex
eth0  00:50:56:95:a4:f7  10.0.3.235/20  fe80::250:56ff:fe95:a4f7/64  0           620790375  0         2982390  0         10000Mb/s  Full

lastlog.sh (sourcetype=lastlog) is updated. The LATEST field no longer contains the seconds and year in the timestamp, and the FROM field only contains an IP address.

USERNAME                        FROM                            LATEST
user1                           10.0.1.1                        Thu Mar 29 13:04
user2                           10.0.1.1                        Mon Apr 9 14:34

Fixed issues

Version 6.0.0 of the Splunk Add-on for Unix and Linux fixed the following issues:

Date resolved	Issue number	Description
2018-04-12	ADDON-14093	vmstat script error on AIX
2018-03-30	ADDON-12085	recursive search for bash_histories is expensive
2018-03-27	ADDON-12862, ADDON-12805	vmstat.sh thows ExecProcessor errors on machines with Infiband interfaces
2018-03-23	ADDON-13986	cpu.sh indexed output is missing core number.

Known issues

If no issues appear here, no issues have yet been reported.

Version 6.0.0 of the Splunk Add-on for Unix and Linux has the following known issues:

Date filed	Issue number	Description
2019-02-05	ADDON-21212	interfaces script throwing error when touching disabled and not configured interfaces.
2019-02-05	ADDON-21209	'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations
2019-01-31	ADDON-21184	service.sh outputs time as a service
2018-04-19	ADDON-17763	Getting error log message into SplunkD for rlog.sh script execution for CentOS 7 and RHEL 7.4 Workaround: Replace if [ -n "`service auditd status`" -a "$?" -eq 0 ] ; then{code} in rlog.sh script with if [ -n "`service auditd status 2>/dev/null`" -a "$?" -eq 0 ] ; then{code}
2018-04-18	ADDON-17753	Truncation of COMMAND field value in UI of FreeBSD 9,10 and 11 version
2018-04-03	ADDON-17607	openPorts.sh script indexed "Header" information into Splunk as an extra event.
2018-03-27	ADDON-17560	Data is not getting indexed for service.sh in Ubuntu 14.04

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 5.2.4

The Splunk Add-on for Unix and Linux was last updated in December 2017.

What's new

See the known issues and fixed issues of these release notes for product updates.

Fixed issues

Version 5.2.4 of the Splunk Add-on for Unix and Linux fixed the following issues:

Date resolved	Issue number	Description
2017-04-17	ADDON-8472	Logic failure in rlog.sh creates duplicates when the seekpointer file cannot be updated and silently fails
2017-03-28	ADDON-13680	The dest field is not extracted for some events

Known Issues

Version 5.2.4 of the Splunk Add-on for Unix and Linux has the following known issues:

Date filed	Issue number	Description
2019-04-24	ADDON-21887	cpu.sh and vmstat.sh return aggregate results for SunOS as opposed to snapshot Workaround: Current workaround is to implement (for example): mpstat -p 1 2 as opposed to mpstat -p 1 1 to reflect the most recent non-aggregated result from the script output.
2018-08-27	ADDON-19194	Incorrect value in swapUsedPct field in FreeBSD os
2018-04-18	ADDON-17753	Truncation of COMMAND field value in UI of FreeBSD 9,10 and 11 version
2018-04-18	ADDON-17747	package.sh not working in FreeBSD 10 and FreeBSD 11
2018-04-03	ADDON-17607	openPorts.sh script indexed "Header" information into Splunk as an extra event.
2018-03-28	ADDON-17571	AWS TA and *nix TA lack spec files for eventgen.conf, which causes cluster bundle validation errors, and breaks Manage Indexes page in clustered Splunk Cloud Workaround: Splunk Cloud customers who cannot create indexes on their own due to this bug should file a support case when they need new indexes created.
2018-03-20	ADDON-17448	CPU core is not properly indexed with Splunk_TA_nix with FreeBSD11 OS
2018-03-19	ADDON-17431	Eventtype unix_runlevel_change name mismatch in eventtypes.conf and tags.conf
2017-03-13	ADDON-14093	vmstat script error on AIX
2017-03-06	ADDON-13986	cpu.sh indexed output is missing core number. Workaround: Edit contents of cpu.sh script as follows: #Need to change to always be 24Hour time with export LC_TIME=POSIX export LC_TIME='POSIX' FORMAT='{cpu=$2; pctUser=$3; pctNice=$4; pctSystem=$5; pctIowait=$6; pctSteal=$7; pctIdle=$NF}'
2016-11-10	ADDON-12085	recursive search for bash_histories is expensive

Version 5.2.3

The Splunk Add-on for Unix and Linux was last updated on April 5, 2016.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

Publication date	Defect number	Description
2016-4-5	TAG-11060	The add-on has been updated to provide better support for Key Performance Indicators (KPIs) for the Splunk IT Service Intelligence OS Module.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

Publication date	Defect number	Description
2016-2-29	TAG-10164	On some versions of Linux (for example, RedHat), the `rlog.sh` scripted input improperly calls for the status of the `auditd` service, which forces the OS to redirect the call to the right service and generates an error in `splunkd.log`.
2015-12-15	TAG-4275	The scripts that come with the add-on rely on system utilities to run properly. If those utilities are not present, the scripts exit silently.

Change Log (what's been fixed)

Publication date	Defect number	Description
2016-4-5	TAG-11059	The add-on has been updated to provide better support for Key Performance Indicators (KPIs) for the Splunk IT Service Intelligence OS Module.

Version 5.2.2

The Splunk Add-on for Unix and Linux was last updated on February 29, 2016.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

Publication date	Defect number	Description
2016-2-29	N/A	Bug fixes.
2016-2-29	TAG-10606	Event type definitions in the add-on have been updated to improve performance.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

Publication date	Defect number	Description
2016-2-29	TAG-10164	On some versions of Linux (for example, RedHat), the `rlog.sh` scripted input improperly calls for the status of the `auditd` service, which forces the OS to redirect the call to the right service and generates an error in `splunkd.log`.
2015-12-15	TAG-4275	The scripts that come with the add-on rely on system utilities to run properly. If those utilities are not present, the scripts exit silently.

Change Log (what's been fixed)

Publication date	Defect number	Description
2016-2-29	TAG-10606	Event type definitions in the add-on have been updated to improve performance.
2016-2-29	TAG-10537	The add-on now determines the correct operating system version numbers on hosts that run AIX and Solaris.
2016-2-29	TAG-10474	A typo in a field transformation that referenced an invalid `FORMAT` argument has been fixed.
2016-2-29	TAG-9922	The add-on has been updated to not expose file and scripted input configuration controls on Splunk Cloud installations.

Version 5.2.1

The Splunk Add-on for Unix and Linux was last updated on December 15, 2015.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

Publication date	Defect number	Description
2015-12-15	N/A	Bug fixes.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

Publication date	Defect number	Description
2015-12-15	TAG-4275	On hosts that run AIX, the `vmstat.sh` script does not produce output.

Change Log (what's been fixed)

Publication date	Defect number	Description
2015-12-15	TAG-10147	A problem with `vmstat.sh` where space-delimited and tab-delimited entries were intermingled was fixed.
2015-12-15	TAG-10213	The add-on has been updated to move some of the data it collects into a data model. This is for use with the OS Module for Splunk IT Service Intelligence.
2015-12-15	TAG-4211	A problem where the `rlog.sh` and `[monitor://var/log]` stanzas within the add-on collected `audit.log` twice (in different ways) was fixed.

Version 5.2.0

The Splunk Add-on for Unix and Linux was last updated on September 18, 2015.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

Publication date	Defect number	Description
2015-9-18	N/A	Bug fixes.
2015-9-18	N/A	The app has been updated to be compatible with Splunk Enterprise version 6.3.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

Publication date	Defect number	Description
2015-10-13	TAG-4211	The `rlog.sh` scripted input and `[monitor:///var/log]` input stanza both collect `audit.log`, although in slightly different formats. This might result in duplicate data collection. To work around this problem, add a blacklist to the `[monitor:///var/log]` stanza: [monitor:///var/log] whitelist=(\.log\|log$\|messages\|secure\|auth\|mesg$\|cron$\|acpid$\|\.out) blacklist=(audit.log\|lastlog\|anaconda\.syslog) index=os disabled = 1

Change Log (what's been fixed)

Publication date	Defect number	Description
2015-9-18	TAG-9589	The add-on no longer breaks search-time extractions for `syslog` on upgrade.
2015-9-18	TAG-9482	The add-on no longer reports incorrect CPU usage when installed on a Solaris 10 host.
2015-9-18	TAG-9353	The `storage`, `storage_used`, and `storage_free` fields now display data in megabytes instead of bytes.
2015-9-18	TAG-9312	The `rlog.sh` scripted input now reads the first line of the `audit.log` file. This fixes a problem where events in Splunk Enterprise did not reflect all contents of the file.
2015-9-18	TAG-9220	The `package.sh` scripted input now populates the `RELEASE` field on Debian Linux systems.
2015-9-18	TAG-3913	The regular expression that defines line breaking patterns for the add-on no longer generates spurious errors in the line-breaking processor.

Version 5.1.2

The Splunk Add-on for Unix and Linux was last updated on April 1, 2015.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

Bug fixes.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

The values for total, used, and free memory that the vmstat.sh script displays differ from the values that the native vmstat command displays. This is because vmstat.sh counts swap cache memory and buffer memory as part of the total free memory available, and subtracts this from total memory to get used memory. This is by design. (TAG-4014, TAG-9010)
The vmstat scripted input does not work on AIX. (TAG-4518)
On Linux systems, the cpu.sh script does not display the %steal CPU counter. (TAG-4114)
Due to how Mac OS X configures OpenSSL, any Splunk Add-on for Unix and Linux scripts that use a hash (such as openPortsEnhanced.sh, passwd.sh, and sshdChecker.sh) do not work by default. To work around the problem, set the DYLD_LIBRARY_PATH variable as follows:

export SPLUNK_HOME=<location of Splunk installation>
export DYLD_LIBRARY_PATH=$SPLUNK_HOME/lib

(NIX-649, SPL-78856)

Using the latest version of Sideview Utils with the add-on causes a problem where dashboards do not populate despite the availability of data. To work around the problem, use version 1.3.5 or earlier of Sideview Utils. (NIX-646)
When you install the app and point it at the indexes which contain your *nix data, it might take up to 15 seconds for that data to begin showing up in the app. This is due to lookup generation. (NIX-467)
The colors in the Metrics Viewer graphs do not update correctly if you transpose sliders in the Metrics Viewer's threshold bar. (NIX-428)
When in node view, the Hosts dashboard sometimes shows inconsistent colors with respect to the detailed view colors. (NIX-353, NIX-409)
When you use Firefox to access the Splunk App for Unix and Linux, the radial graphs in the Home dashboard sometimes do not display correctly. The slices within the graphs sometimes spill out of their containers. To work around the problem, refresh the page. (NIX-370, NIX-413)
On HP/UX systems, there is no way to obtain the number of threads on a system. This means that the vmstat scripted inputs will always return "?" for threads columns on HP/UX.
On Solaris systems, the hardware.sh scripted input sometimes returns empty values for some entries. (NIX-42)
If you clone an existing alert saved search, you cannot edit the search using the "Settings: Alerts" configuration page. (NIX-537)
You cannot create custom alerts using Splunk Web; you must do so with configuration files. (NIX-536)
If you remove the default group, you sometimes receive an error "Unknown search command: 'all'" when you load the Home page. (NIX-560)
In the Hosts page, if you do not wait for all data on a host information card to load before pinning that card, when you select another host, the original host information card does not remain pinned. (NIX-320)
The app's scripted inputs do not work when the directory that they are hosted in contains spaces. This is particularly an issue with Mac OS X. (NIX-570)
The full-screen NOC screen legends do not display correctly in Chrome. (NIX-584)
You are not able to drill down into a specific host on the Hosts dashboard. (NIX-587)

Change Log (what's been fixed)

Copyright information for the add-on has been updated and corrected. (TAG-9244)
The add-on no longer incorrectly displays in the Splunk Light Dashboards page. (TAG-9182)
The su_authentication event type within the add-on now has better su command event-matching logic. (TAG-8938)
The uptime.sh script in the add-on now handles ps output properly on HP-UX machines. (TAG-4204)
An unnecessary transform for WMI installed apps has been removed. (TAG-4191)
The top.sh script now accounts for the fact that, starting with Mac OS X version 10.9 Mavericks and later, there is no rshrd (resident shared address space size) statistic for the top command. On Mac OSX 10.9 Mavericks and later, the script now outputs "?" for that statistic, instead of generating an error. (TAG-4077)
The add-on no longer attempts to automatically learn new source types when you tell it to monitor large directories. (TAG-3986)

Version 5.1.1

The Splunk Add-on for Unix and Linux was last updated on February 13, 2015.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

Bug fixes.
Feature additions to better work with Splunk Light (TAG-3983, TAG-8913).

Current known issues

The Splunk App for Unix and Linux has the following known issues:

The values for total, used, and free memory that the vmstat.sh script displays differ from the values displayed by the native vmstat command. This is because vmstat.sh counts swap cache memory and buffer memory as part of the total free memory available, and subtracts this from total memory to get used memory. This is by design. (TAG-4014, TAG-9010)
On Linux systems, the cpu.sh script does not display the %steal CPU counter. (TAG-4114)
Due to how Mac OS X configures OpenSSL, any Splunk Add-on for Unix and Linux scripts that use a hash (such as openPortsEnhanced.sh, passwd.sh, and sshdChecker.sh) do not work by default. To work around the problem, set the DYLD_LIBRARY_PATH variable as follows:

export SPLUNK_HOME=<location of Splunk installation>
export DYLD_LIBRARY_PATH=$SPLUNK_HOME/lib

(NIX-649, SPL-78856)

Using the latest version of Sideview Utils with the add-on causes a problem where dashboards do not populate despite the availability of data. To work around the problem, use version 1.3.5 or earlier of Sideview Utils. (NIX-646)
When you install the app and point it at the indexes which contain your *nix data, it might take up to 15 seconds for that data to begin showing up in the app. This is due to lookup generation. (NIX-467)
The colors in the Metrics Viewer graphs do not update correctly if you transpose sliders in the Metrics Viewer's threshold bar. (NIX-428)
When in node view, the Hosts dashboard sometimes shows inconsistent colors with respect to the detailed view colors. (NIX-353, NIX-409)
When you use Firefox to access the Splunk App for Unix and Linux, the radial graphs in the Home dashboard sometimes do not display correctly. The slices within the graphs sometimes spill out of their containers. To work around the problem, refresh the page. (NIX-370, NIX-413)
On HP/UX systems, there is no way to obtain the number of threads on a system. This means that the vmstat scripted inputs will always return "?" for threads columns on HP/UX.
On Solaris systems, the hardware.sh scripted input sometimes returns empty values for some entries. (NIX-42)
If you clone an existing alert saved search, you cannot edit the search using the "Settings: Alerts" configuration page. (NIX-537)
You cannot create custom alerts using Splunk Web; you must do so with configuration files. (NIX-536)
If you remove the default group, you sometimes receive an error "Unknown search command: 'all'" when you load the Home page. (NIX-560)
In the Hosts page, if you do not wait for all data on a host information card to load before pinning that card, when you select another host, the original host information card does not remain pinned. (NIX-320)
The app's scripted inputs do not work when the directory that they are hosted in contains spaces. This is particularly an issue with Mac OS X. (NIX-570)
The full-screen NOC screen legends do not display correctly in Chrome. (NIX-584)
You are not able to drill down into a specific host on the Hosts dashboard. (NIX-587)

Change Log (what's been fixed)

A cosmetic issue with the "Reset" button on the add-on configuration page has been fixed. (TAG-3976)
The documentation links in the add-on now go to valid places. (TAG-4421)

Version 5.1.0

The Splunk Add-on for Unix and Linux was last updated on October 6, 2014.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

Bug fixes.
Feature additions to better work with the Splunk App for Enterprise Security.
The add-on now contains some knowledge layer improvements. (NIX-638)
The add-on now normalizes timestamps to work with the Change_Analysis data model. (NIX-668)
The add-on now has higher-resolution icons. (NIX-660)

Current known issues

The Splunk App for Unix and Linux has the following known issues:

The values for total, used, and free memory that the vmstat.sh script displays differ from the values displayed by the native vmstat command. This is because vmstat.sh counts swap cache memory and buffer memory as part of the total free memory available, and subtracts this from total memory to get used memory. This is by design. (TAG-4014, TAG-9010)
Due to how Mac OS X configures OpenSSL, any Splunk Add-on for Unix and Linux scripts that use a hash (such as openPortsEnhanced.sh, passwd.sh, and sshdChecker.sh) do not work by default. To work around the problem, set the DYLD_LIBRARY_PATH variable as follows:

export SPLUNK_HOME=<location of Splunk installation>
export DYLD_LIBRARY_PATH=$SPLUNK_HOME/lib

(NIX-649, SPL-78856)

Using the latest version of Sideview Utils with the add-on causes a problem where dashboards do not populate despite the availability of data. To work around the problem, use version 1.3.5 or earlier of Sideview Utils. (NIX-646)
When you install the app and point it at the indexes which contain your *nix data, it might take up to 15 seconds for that data to begin showing up in the app. This is due to lookup generation. (NIX-467)
The colors in the Metrics Viewer graphs do not update correctly if you transpose sliders in the Metrics Viewer's threshold bar. (NIX-428)
When in node view, the Hosts dashboard sometimes shows inconsistent colors with respect to the detailed view colors. (NIX-353, NIX-409)
When you use Firefox to access the Splunk App for Unix and Linux, the radial graphs in the Home dashboard sometimes do not display correctly. The slices within the graphs sometimes spill out of their containers. To work around the problem, refresh the page. (NIX-370, NIX-413)
On HP/UX systems, there is no way to obtain the number of threads on a system. This means that the vmstat scripted inputs will always return "?" for threads columns on HP/UX.
On Solaris systems, the hardware.sh scripted input sometimes returns empty values for some entries. (NIX-42)
If you clone an existing alert saved search, you cannot edit the search using the "Settings: Alerts" configuration page. (NIX-537)
You cannot create custom alerts using Splunk Web; you must do so with configuration files. (NIX-536)
If you remove the default group, you sometimes receive an error "Unknown search command: 'all'" when you load the Home page. (NIX-560)
In the Hosts page, if you do not wait for all data on a host information card to load before pinning that card, when you select another host, the original host information card does not remain pinned. (NIX-320)
The app's scripted inputs do not work when the directory that they are hosted in contains spaces. This is particularly an issue with Mac OS X. (NIX-570)
The full-screen NOC screen legends do not display correctly in Chrome. (NIX-584)
You are not able to drill down into a specific host on the Hosts dashboard. (NIX-587)

Change Log (what's been fixed)

A problem with the first-time run experience where a file rename would cause the experience to repeat continuously was fixed. (NIX-664)
A search macro definition for network monitoring that conflicted with a similar definition in the Splunk Add-on for Windows was corrected. (NIX-663)
Values defined within stanzas in some configuration files now have proper URI encodings. (NIX-656)
The vmstat.sh script now properly returns results on systems with more than one mass storage device. (NIX-648)
A problem where event type searches generated false positives because they include the summary index has been fixed. (NIX-644)
The Splunk Supporting App for Unix and Linux (SA-Nix) no longer overwrites the action field. (NIX-641)
A search-time field extraction that referenced the syslog source type has been removed. (NIX-634)
A typo in the version.sh script has been corrected. (NIX-630)
The setup.sh script now properly accepts the --auth argument. This enables users to use the script to log into their Splunk Enterprise instance while setting up the Splunk App for Unix and Linux from the command line. (NIX-624)
A customer-submitted patch to interfaces.sh improves how that script gathers network interface error statistics. (NIX-623)

Related answers from Splunk Community

Release history for the Splunk Add-on for Unix and Linux

Version 9.1.0

Compatibility

New features

Bug fixes

Fixed issues

Known issues

Third-party software attributions

Version 9.0.0

Compatibility

New features

Bug fixes

Fixed issues

Known issues

Third-party software attributions

Version 8.10.0

Compatibility

New features

Fixed issues

Known issues

Third-party software attributions

Version 8.9.0

Compatibility

New features

Fixed issues

Known issues

Third-party software attributions

Version 8.8.0

Compatibility

New features

Fixed issues

Known issues

Third-party software attributions

Version 8.7.0

Compatibility

New features

Bug fixes

Fixed issues

Known issues

Third-party software attributions

Version 8.6.0

Compatibility

New features

Bug fixes

Fixed issues

Known issues

Third-party software attributions

Version 8.5.0

Compatibility

New features

Bug fixes

Fixed issues

Known issues

Third-party software attributions

Version 8.4.0

Compatibility

New features

Bug fixes

Fixed issues

Known issues

Third-party software attributions

Version 8.3.1

Compatibility

New features

Fixed issues

Known issues

Third-party software attributions

Version 8.3.0

Compatibility

New features

Fixed issues

Known issues

Third-party software attributions

Version 8.2.0

Compatibility

New features

Fixed issues

Known issues

Third-party software attributions