Splunk® Supported Add-ons

Splunk Add-on for Unix and Linux

Robust implementation of scripts for Splunk Add-on for Unix and Linux

Version 8.9.0

As part of version 8.9.0 of the Splunk Add-on for Unix and Linux, we updated the implementation of cpu scripts to make it more robust and to work more efficiently for the AIX operating system.

Changes made as part of cpu scripts

The tables below show field names extracted for cpu scripts. It lists the normalized field names which the cpu scripts previously output before version 8.9.0 and also displays the new 'raw' field names output starting with version 8.9.0. We've also maintained a backward compatibility of the older fields along with adding the new fields from the raw output.

Table for cpu scripts

cpu.sh
Fields in old script's output Equivalent fields in new script's output for AIX OS
CPU cpu
pctUser us
pctSystem sy
pctIowait wa
pctIdle id
cpu_metric.sh
Fields in old script's output Equivalent fields in new script's output for AIX OS
metric_name:cpu_metric.pctUser metric_name:cpu_metric.us
metric_name:cpu_metric.pctSystem metric_name:cpu_metric.sy
metric_name:cpu_metric.pctIowait metric_name:cpu_metric.wa
metric_name:cpu_metric.pctIdle metric_name:cpu_metric.id

Version 8.7.0

As part of version 8.7.0 of the Splunk Add-on for Unix and Linux, we updated the implementation of ps, interfaces and df scripts to make them more robust and to work more efficiently across all supported operating systems.

Changes made as part of ps and df scripts

The tables below show field names extracted for ps and df scripts. It lists the normalized field names which the ps and df scripts previously output before version 8.7.0 and also displays the new 'raw' field names output starting with version 8.7.0. We've also maintained a backward compatibility of the older fields along with adding the new fields from the raw output.

Tables for ps scripts

ps.sh
Fields in old script's output Equivalent fields in new script's output for Linux Kernel OSs Equivalent fields in new script's output for (Darwin & FreeBSD) Kernel OSs Equivalent fields in new script's output for Solaris Kernel OSs Equivalent fields in new script's output for AIX Kernel OSs
CPUTIME TIME TIME TIME TIME
RSZ_KB RSS RSS RSS RSS
S STAT STAT S S
TTY TTY TT TTY TT
VSZ_KB VSZ VSZ VSZ VSZ
pctCPU CPU CPU CPU CPU
pctMEM MEM MEM MEM MEM
ps_metric.sh
Fields in Old script's output Equivalent fields in new script's output for all supported Kernals
metric_name:ps_metric.RSZ_KB metric_name:ps_metric.RSS
metric_name:ps_metric.VSZ_KB metric_name:ps_metric.VSZ
metric_name:ps_metric.pctCPU metric_name:ps_metric.CPU
metric_name:ps_metric.pctMEM metric_name:ps_metric.MEM

: For ps and ps_metric scripts, ELAPSED and PSR were removed from kernel outputs except for AIX and SunOS as part of v8.7.0.

For the USER field in ps scripts, the add-on previously removed the preceding underscore (if any) from the value and then ingested the field. From v8.7.0 onwards, the add-on will be ingesting the value of the field as it is. If this field is used by any of your applications or use cases, Splunk best practice is to update them accordingly.

Tables for df scripts

df.sh
Fields in old script's output Equivalent fields in new script's output for Linux Kernel OSs Equivalent fields in new script's output for (Darwin & FreeBSD) Kernel OSs Equivalent fields in new script's output for Solaris Kernel OSs Equivalent fields in new script's output for AIX Kernel OSs
Size Size Size Size 1024-blocks
Avail Avail Avail Available Available
UsePct Use_ Capacity Capacity Capacity
INodes Inodes INodes INodes INodes
IUsed IUsed iused IUsed Iused
IFree IFree ifree IFree Ifree
IUsePct IUse_ IUsePct IUsePct IUsePct
df_metric.sh
Fields in Old script's output Equivalent fields in new script's output for Linux Kernel OSs Equivalent fields in new script's output for (Darwin) Kernel OSs Equivalent fields in new script's output for (FreeBSD) Kernel OSs Equivalent fields in new script's output for Solaris Kernel OSs Equivalent fields in new script's output for AIX Kernel OSs
metric_name:df_metric:Size metric_name:df_metric:1K-blocks metric_name:df_metric:1024-blocks metric_name:df_metric:1024-blocks metric_name:df_metric:Size metric_name:df_metric:1024-blocks
metric_name:df_metric:Avail metric_name:df_metric:Avail metric_name:df_metric:Availble metric_name:df_metric:Avail metric_name:df_metric:Avail metric_name:df_metric:Available
metric_name:df_metric:UsePct metric_name:df_metric:Use metric_name:df_metric:Capacity metric_name:df_metric:Capacity metric_name:df_metric:UsePct metric_name:df_metric:Capacity
metric_name:df_metric:INodes metric_name:df_metric:Inodes metric_name:df_metric:INodes metric_name:df_metric:INodes metric_name:df_metric:INodes metric_name:df_metric:INodes
metric_name:df_metric:IUsed metric_name:df_metric:IUsed metric_name:df_metric:iused metric_name:df_metric:iused metric_name:df_metric:IUsed metric_name:df_metric:Iused
metric_name:df_metric:IFree metric_name:df_metric:IFree metric_name:df_metric:ifree metric_name:df_metric:ifree metric_name:df_metric:IFree metric_name:df_metric:Ifree
metric_name:df_metric:IUsePct metric_name:df_metric:IUse metric_name:df_metric:IUsePct metric_name:df_metric:IUsePct metric_name:df_metric:IUsePct metric_name:df_metric:IUsePct
metric_name:df_metric:Used metric_name:df_metric:Used metric_name:df_metric:Used metric_name:df_metric:Used metric_name:df_metric:Used metric_name:df_metric:Used
metric_name:df_metric:Size_KB metric_name:df_metric:1K-blocks metric_name:df_metric:1024-blocks metric_name:df_metric:1024-blocks metric_name:df_metric:Size metric_name:df_metric:1024-blocks
metric_name:df_metric:Avail_KB metric_name:df_metric:Avail metric_name:df_metric:Available metric_name:df_metric:Available metric_name:df_metric:Avail metric_name:df_metric:Available


Changes made as part of interfaces scripts

We have made the interfaces scripts less error prone in case the output of the raw command changes. No new fields were added for interfaces scripts as part of v8.7.0


Version 8.6.0

As part of version 8.6.0 of the Splunk Add-on for Unix and Linux, we updated the implementation of iostat scripts to make them more robust and to work more efficiently across all supported operating systems.

The most significant change is in regards to field extractions; Splunk best practice is now to extract data into both the raw field names output by the iostat command as well as the normalized field names that the add-on previously used. This enables you to build Splunk content (searches, reports, dashboards, etc) and leverage all the data points produced by the iostat command.

The table below shows an example of field names extracted on Ubuntu OS. It lists the normalized field names which the iostat script previously displayed before version 8.6.0 and also displays the new 'raw' field names output starting with version 8.6.0. Splunk maintains backward compatibility of existing content as older fields are extracted, but Splunk best practice is to update content to use the new field names.

Old field extraction names New field extraction names
rReq_PS r_s
rKB_PS rkB_s
rrqmPct rrqm
rAvgReqSZkb rareq_sz
rAvgWaitMillis r_await
wReq_PS w/s
wKB_PS wKB_s
wrqmPct wrqm
wAvgWaitMilli w_await
wAvgReqSZkb wareq_sz
avgQueueSZ aqu_sz
bandwUtilPct util
avgSvcMillis svctm
avgWaitMillis await
Last modified on 12 July, 2024
Scripted input reference for the Splunk Add-on for Unix and Linux  

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters