Splunk® Supported Add-ons

Splunk Add-on for Unix and Linux

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Release history for the Splunk Add-on for Unix and Linux

The latest version of the Splunk Add-on for Unix and Linux is version 8.4.0. See Release notes for the Splunk Add-on for Unix and Linux for release notes of this latest version.

Version 8.3.1

Version 8.3.1 of the Splunk Add-on for Unix and Linux was released on July 26, 2021.


Compatibility

Version 8.3.1 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 8.0.x, 8.1.x, 8.2.x
CIM 4.18
Supported OS for data collection All supported Unix operating systems. See Unix operating systems.
Vendor products All supported Unix operating systems. See Unix operating systems.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.3.1 of the Splunk Add-on for Unix and Linux has the following new features:

  • Updated the setup page of the add-on to make it compatible with jQuery3.

Fixed issues

Version 8.3.1 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Known issues

Version 8.3.1 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:


Date filed Issue number Description
2021-01-20 ADDON-33139 Input netstat.sh and openPorts.sh gives error in splunkd.log when add-on is installed on macOS v10.15.7
2020-06-18 ADDON-27321 nfsiostat.sh fails with ImportError: This package should not be accessible on Python 3
2020-04-24 ADDON-26293 Field values gets broke when values has space for 'lsof' and 'userswithloginprivs' source types
2020-04-24 ADDON-26292 Additional error of broken pipe is getting logged under splunkd.log along with correct data for cpu.sh on Solaris OS
2020-04-20 ADDON-26130 When there is no new data available to be ingested in audit.log, rlog.sh script throws error in splunkd.log
2020-04-20 ADDON-26131, ADDON-33138 Input protocol.sh gives error in splunkd.log when add-on is installed on macOS

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.3.0

Version 8.3.0 of the Splunk Add-on for Unix and Linux was released. on February 3, 2021.


Compatibility

Version 8.3.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 7.2.x, 7.3.x, 8.0.x, 8.1.x
CIM 4.18
Supported OS for data collection All supported Unix operating systems. See Unix operating systems.
Vendor products All supported Unix operating systems. See Unix operating systems.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.3.0 of the Splunk Add-on for Unix and Linux has the following new features:

  • Support of CentOS 8, RHEL 8.3, Solaris 11.4, Ubuntu 20.10, FreeBSD 12.2, macOS 10.15
  • Common Information Model (CIM) version 4.18 compatibility
  • Enhanced CIM mappings and extractions for 'linux_secure' and 'aix_secure' sourcetypes
  • Enhanced CIM mappings and extractions for 'dhcpd' sourcetype
  • Mapped Endpoint.FileSystem data model to 'fs_notification' sourcetype
  • Mapped Performance.CPU data model to 'ps' sourcetype
  • Mapped Perfomance.Storage data model to 'nfsiostat' sourcetype
  • Mapped Endpoint.Ports data model to 'netstat' sourcetype
  • Removed DM mappings from 'top' and 'Unix:ListeningPorts' sourcetypes
  • Added the reason CIM field for the 'Authentication.Failed_Authentication' data model

Fixed issues

Version 8.3.0 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Date resolved Issue number Description
2021-01-28 ADDON-31685 The 'top.sh' script that Splunk_TA_nix app uses does not correctly extract the fields of the 'top' linux command in FreeBSD

Known issues

Version 8.3.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:


Date filed Issue number Description
2021-01-20 ADDON-33139 Input netstat.sh and openPorts.sh gives error in splunkd.log when add-on is installed on macOS v10.15.7
2020-06-18 ADDON-27321 nfsiostat.sh fails with ImportError: This package should not be accessible on Python 3
2020-04-24 ADDON-26293 Field values gets broke when values has space for 'lsof' and 'userswithloginprivs' source types
2020-04-24 ADDON-26292 Additional error of broken pipe is getting logged under splunkd.log along with correct data for cpu.sh on Solaris OS
2020-04-20 ADDON-26130 When there is no new data available to be ingested in audit.log, rlog.sh script throws error in splunkd.log
2020-04-20 ADDON-26131, ADDON-33138 Input protocol.sh gives error in splunkd.log when add-on is installed on macOS

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.


Version 8.2.0

Version 8.2.0 of the Splunk Add-on for Unix and Linux was released on September 21, 2020.

Compatibility

Version 8.2.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.16
Supported OS for data collection All supported Unix operating systems. See Unix operating systems.
Vendor products All supported Unix operating systems. See Unix operating systems.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.2.0 of the Splunk Add-on for Unix and Linux has the following new features:

  • Updated and added new CIM field compatibility for various sourcetypes.
  • Removed deprecated CIM models and upgraded to new CIM models.

Fixed issues

Version 8.2.0 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Date resolved Issue number Description
2020-08-18 ADDON-27953 Metric scripts produce error if there are spaces in the OSName variable

Known issues

Version 8.2.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:


Date filed Issue number Description
2020-12-04 ADDON-31685 The 'top.sh' script that Splunk_TA_nix app uses does not correctly extract the fields of the 'top' linux command in FreeBSD

Workaround:
Amended script under "elif [ "x$KERNEL" = "xFreeBSD" ] ; then" from:

FORMAT_DOMAIN='{pr=$4; ni=$5; virt=$6; res=$7; stateRaw=$8; cpuTIME=$9; pctCPU=0+$10; command=$11}'

to

FORMAT_DOMAIN='{pr=$4; ni=$5; virt=$6; res=$7; stateRaw=$8; cpuTIME=$10; pctCPU=$11; command=$12}'

This aligns the columns correctly.

2020-06-18 ADDON-27321 nfsiostat.sh fails with ImportError: This package should not be accessible on Python 3
2020-04-24 ADDON-26293 Field values gets broke when values has space for 'lsof' and 'userswithloginprivs' source types
2020-04-24 ADDON-26292 Additional error of broken pipe is getting logged under splunkd.log along with correct data for cpu.sh on Solaris OS
2020-04-20 ADDON-26130 When there is no new data available to be ingested in audit.log, rlog.sh script throws error in splunkd.log
2020-04-20 ADDON-26131, ADDON-33138 Input protocol.sh gives error in splunkd.log when add-on is installed on macOS

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.1.0

Version 8.1.0 of the Splunk Add-on for Unix and Linux was released on June 24, 2020.

Compatibility

Version 8.1.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.15
Supported OS for data collection All supported Unix operating systems. See Unix operating systems.
Vendor products All supported Unix operating systems. See Unix operating systems.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

New features

Version 8.1.0 of the Splunk Add-on for Unix and Linux has the following new features:

  • Support for the metrics index for collecting statistical information of cpu, df, iostat, interfaces, vmstat, and ps sources.
  • Additional support of the chrony command to get time-service information.

Fixed issues

Version 8.1.0 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Date resolved Issue number Description
2020-06-16 ADDON-26155 Header data is also getting indexed as an event for "interfaces", "lastlog", "who" and "top" sourcetypes
2020-06-16 ADDON-16732 Script crashing, needs to be updated since ntpdate is deprecated
2020-06-02 ADDON-21184 service.sh outputs time as a service
2020-05-27 ADDON-26291 Fields are not getting extracted for 'auditd', 'lastlog' and 'netstat' Source type

Known issues

Version 8.1.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:


Date filed Issue number Description
2020-07-27 ADDON-27953 Metric scripts produce error if there are spaces in the OSName variable
2020-06-18 ADDON-27321 nfsiostat.sh fails with ImportError: This package should not be accessible on Python 3
2020-04-24 ADDON-26292 Additional error of broken pipe is getting logged under splunkd.log along with correct data for cpu.sh on Solaris OS
2020-04-24 ADDON-26293 Field values gets broke when values has space for 'lsof' and 'userswithloginprivs' source types
2020-04-20 ADDON-26130 When there is no new data available to be ingested in audit.log, rlog.sh script throws error in splunkd.log
2020-04-20 ADDON-26131, ADDON-33138 Input protocol.sh gives error in splunkd.log when add-on is installed on macOS

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.0.0

Version 8.0.0 of the Splunk Add-on for Unix and Linux was released on April 28, 2020.


Compatibility

Version 8.0.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.15
Supported OS for data collection All supported Unix operating systems. See Unix operating systems.
Vendor products All supported Unix operating systems. See Unix operating systems.

Script compatibility

Script CentOS RHEL Ubuntu Solaris AIX FreeBSD FreeNAS Mac OS X
6 7 6.9 7.4 8.0 14.04 16.04 10 11.3 11.0 7.1 7.2 9 10 11 11.3U113 10.11 10.12
bandwidth.sh Y Y Y Y Y Y Y Y1 Y2 Y Y Y N3 N3 N3 N3 Y N3
common.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
cpu.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N3
df.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
hardware.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
interfaces.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
iostat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N4 N4
lastlog.sh Y Y Y Y Y Y Y Y Y Y N N Y Y Y Y Y Y
lsof.sh Y14 Y14 Y14 Y14 Y14 Y14 Y14 N N N N N N Y14 Y14 Y14 Y14 Y14
netstat.sh Y Y Y Y Y Y Y N N N N N N N N Y N N
nfsiostat.sh12 Y Y Y Y Y Y Y N N N N N N N N N N N
openPorts.sh Y5 Y5 Y5 Y5 Y5 Y Y Y5 Y5 Y5 Y Y Y Y Y Y Y Y
openPortsEnhanced.sh Y Y Y Y Y Y Y Y Y Y N N N N N N Y Y
package.sh Y14 Y14 Y14 Y14 Y14 Y14 Y14 Y14 Y14 Y14 Y14 Y14 Y14 Y6, 14, 16 Y6, 14, 16 Y14, 16 Y14 Y14
passwd.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
protocol.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
ps.sh Y Y Y Y Y Y Y Y Y Y Y Y Y7 Y7 Y7 Y Y Y
rlog.sh Y Y8 Y Y8 Y8 Y9 Y N N N N N N N N N N N
selinuxChecker.sh Y Y Y Y Y Y N N N N N N N N N N N N
service.sh Y Y Y Y Y N10 Y Y Y Y N N N N N N Y Y
sshdChecker.sh Y Y Y Y Y Y Y Y Y Y N N N N N N N N
time.sh Y11 Y11 Y Y Y11 Y Y Y Y Y Y Y11 Y Y Y Y Y Y
top.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
update.sh Y Y Y Y Y N N N N N N N N N N N Y Y
uptime.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
usersWithLoginPrivs.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
version.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
vmstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N
vsftpdChecker.sh Y15 Y15 Y15 Y15 Y15 Y15 Y15 Y15 Y15 Y15 Y15 Y15 Y15 Y15 Y15 N Y15 Y15
who.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y


Notes

  1. Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to <n/a> because netstat on Solaris 10 and 11 does not provide this information.
  2. Supported, requires dlstat.
  3. Not supported, sar is not available.
  4. Not supported, /bin/darwin_disk_stats is not available.
  5. Supported, script indexes Header information as an extra event.
  6. Supported. pkg_info is deprecated, and pkg info is being used.
  7. Supported, COMMAND field value is truncated.
  8. Supported, error log messages are included. Not supported for RHEL/CentOS version 7.3.
  9. Supported, requires ausearch.
  10. Not supported, chkconfig is not available.
  11. Supported, requires ntpdate or chrony for RHEL version 8.
  12. Supported with only Linux OS configurations, requires the nfs-utils package.
  13. Only FreeNAS 11.3U1 is supported.
  14. Bash shell is required to run the script. Install the bash package for the input.
  15. Requires vsftpd package.
  16. Data for Name, Version and Architecture of the package will be ingested by the Splunk software.

New features

Version 8.0.0 of the Splunk Add-on for Unix and Linux has the following new features:

  • Common Information Model (CIM) version 4.15 compatibility.
  • Support for RHEL version 8.0
  • Increased ps.sh COMMAND field width to accommodate long values.
  • Ability to capture sshd-authentication events that do not have from in the event
  • Support for FreeNAS version 11.3U1.

Fixed issues

Version 8.0.0 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Date resolved Issue number Description
2020-04-16 ADDON-17763 Getting error log message into SplunkD for rlog.sh script execution for CentOS 7 and RHEL 7.4
2020-04-16 ADDON-17607 openPorts.sh script indexed "Header" information into Splunk as an extra event.
2020-04-16 ADDON-21209 'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations
2020-03-31 ADDON-21887 cpu.sh and vmstat.sh return aggregate results for SunOS as opposed to snapshot
2019-12-11 ADDON-23937 interfaces script throwing error when touching disabled and not configured interfaces - familysearch.splunkcloud.com
2019-12-09 ADDON-23292, ADDON-16135 Search Job Alerts for Splunk defined eventtype

Known issues

Version 8.0.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:


Date filed Issue number Description
2020-06-18 ADDON-27321 nfsiostat.sh fails with ImportError: This package should not be accessible on Python 3
2020-04-24 ADDON-26293 Field values gets broke when values has space for 'lsof' and 'userswithloginprivs' source types
2020-04-24 ADDON-26292 Additional error of broken pipe is getting logged under splunkd.log along with correct data for cpu.sh on Solaris OS
2020-04-24 ADDON-26291 Fields are not getting extracted for 'auditd', 'lastlog' and 'netstat' Source type
2020-04-21 ADDON-26155 Header data is also getting indexed as an event for "interfaces", "lastlog", "who" and "top" sourcetypes
2020-04-20 ADDON-26130 When there is no new data available to be ingested in audit.log, rlog.sh script throws error in splunkd.log
2020-04-20 ADDON-26131, ADDON-33138 Input protocol.sh gives error in splunkd.log when add-on is installed on macOS
2019-01-31 ADDON-21184 service.sh outputs time as a service
2018-04-18 ADDON-17753 Truncation of COMMAND field value in UI of FreeBSD 9,10 and 11 version
2018-03-27 ADDON-17560 Data is not getting indexed for service.sh in Ubuntu 14.04

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.


Version 7.0.1

Version 7.0.1 of the Splunk Add-on for Unix and Linux was released on March 14, 2020.

Compatibility

Version 7.0.1 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0
CIM 4.12
Supported OS for data collection All supported Unix operating systems. See Unix operating systems.
Vendor products All supported Unix operating systems. See Unix operating systems.

Script compatibility

Script CentOS RHEL Ubuntu Solaris AIX FreeBSD Mac OS X
6 7 7.4 6.9 14.04 16.04 10 11.3 11.0 7.1 7.2 9 10 11 10.11 10.12
bandwidth.sh Y Y Y Y Y Y Y1 Y2 Y Y Y N3 N3 N3 Y N3
common.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
cpu.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N3
df.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
hardware.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
interfaces.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
iostat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y N4 N4
lastlog.sh Y Y Y Y Y Y Y Y Y N N Y Y Y Y Y
lsof.sh Y Y Y Y Y Y N N N N N N N N Y Y
netstat.sh Y Y Y Y Y Y N N N N N N N N N N
nfsiostat.sh12 Y Y Y Y Y Y N N N N N N N N N N
openPorts.sh Y5 Y5 Y5 Y5 Y Y Y5 Y5 Y5 Y Y Y Y Y Y Y
openPortsEnhanced.sh Y Y Y Y Y Y Y Y Y N N N N N Y Y
package.sh Y Y Y Y Y Y Y Y Y Y Y Y N6 N6 Y Y
passwd.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
protocol.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
ps.sh Y Y Y Y Y Y Y Y Y Y Y Y7 Y7 Y7 Y Y
rlog.sh Y Y8 Y8 Y Y9 Y N N N N N N N N N N
selinuxChecker.sh Y Y Y Y Y N N N N N N N N N N N
service.sh Y Y Y Y N10 Y Y Y Y N N N N N Y Y
sshdChecker.sh Y Y Y Y Y Y Y Y Y N N N N N N N
time.sh Y11 Y11 Y Y Y Y Y Y Y Y Y11 Y Y Y Y Y
top.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
update.sh Y Y Y Y N N N N N N N N N N Y Y
uptime.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
usersWithoginPrivs.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
version.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
vmstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N
vsfptdChecker.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
who.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y

Notes

  1. Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to <n/a> because netstat on Solaris 10 and 11 does not provide this information.
  2. Supported, requires dlstat.
  3. Not supported, sar is not available.
  4. Not supported, /bin/darwin_disk_stats is not available.
  5. Supported, script indexes Header information as an extra event.
  6. Not supported, pkg_info is deprecated.
  7. Supported, COMMAND field value is truncated.
  8. Supported, error log messages are included.
  9. Supported, requires ausearch.
  10. Not supported, chkconfig is not available.
  11. Supported, requires ntpdate.
  12. Supported with only Linux OS configurations, requires the nfs-utils package.

Upgrade

Users upgrading to the Splunk Add-on for Unix and Linux version 7.0 or later from version 5.2.4 or earlier must follow prerequisite upgrade steps before performing the installation. See Upgrade the Splunk Add-on for Unix and Linux.

New features

Version 7.0.1 of the Splunk Add-on for Unix and Linux has the following new features:

  • Default support for Python3

Fixed issues

Version 7.0.1 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Date resolved Issue number Description
2019-09-26 ADDON-21212 interfaces script throwing error when touching disabled and not configured interfaces.

Known issues

Version 7.0.1 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:


Date filed Issue number Description
2020-04-24 ADDON-26293 Field values gets broke when values has space for 'lsof' and 'userswithloginprivs' source types
2020-04-24 ADDON-26292 Additional error of broken pipe is getting logged under splunkd.log along with correct data for cpu.sh on Solaris OS
2020-04-24 ADDON-26291 Fields are not getting extracted for 'auditd', 'lastlog' and 'netstat' Source type
2019-10-23 ADDON-24037 interfaces.sh script doesnot work with "ifconfig" command

Workaround:
If the system doesn't "ip" command and contains only "ifconfig" command, the interfaces.sh script may return incorrect results.

In such cases, change CMD_LIST_INTERFACES to CMD_LIST_UP_INTERFACES in line 28. So the code look like:

""" CMD_LIST_UP_INTERFACES ="eval ifconfig | tee $TEE_DEST | grep 'Link encap:\|mtu' | grep -Ev lo | tee -a $TEE_DEST | cut -d' ' -f1 | cut -d':' -f1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST" """

2019-02-05 ADDON-21209 'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations
2019-01-31 ADDON-21184 service.sh outputs time as a service
2018-04-18 ADDON-17753 Truncation of COMMAND field value in UI of FreeBSD 9,10 and 11 version
2018-04-03 ADDON-17607 openPorts.sh script indexed "Header" information into Splunk as an extra event.

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 7.0

Version 7.0 of the Splunk Add-on for Unix and Linux was released on October 21, 2019.

Compatibility

Version 7.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0
CIM 4.12
Supported OS for data collection All supported Unix operating systems. See Unix operating systems.
Vendor products All supported Unix operating systems. See Unix operating systems.

Script compatibility

Script CentOS RHEL Ubuntu Solaris AIX FreeBSD Mac OS X
6 7 7.4 6.9 14.04 16.04 10 11.3 11.0 7.1 7.2 9 10 11 10.11 10.12
bandwidth.sh Y Y Y Y Y Y Y1 Y2 Y Y Y N3 N3 N3 Y N3
common.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
cpu.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N3
df.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
hardware.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
interfaces.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
iostat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y N4 N4
lastlog.sh Y Y Y Y Y Y Y Y Y N N Y Y Y Y Y
lsof.sh Y Y Y Y Y Y N N N N N N N N Y Y
netstat.sh Y Y Y Y Y Y N N N N N N N N N N
nfsiostat.sh12 Y Y Y Y Y Y N N N N N N N N N N
openPorts.sh Y5 Y5 Y5 Y5 Y Y Y5 Y5 Y5 Y Y Y Y Y Y Y
openPortsEnhanced.sh Y Y Y Y Y Y Y Y Y N N N N N Y Y
package.sh Y Y Y Y Y Y Y Y Y Y Y Y N6 N6 Y Y
passwd.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
protocol.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
ps.sh Y Y Y Y Y Y Y Y Y Y Y Y7 Y7 Y7 Y Y
rlog.sh Y Y8 Y8 Y Y9 Y N N N N N N N N N N
selinuxChecker.sh Y Y Y Y Y N N N N N N N N N N N
service.sh Y Y Y Y N10 Y Y Y Y N N N N N Y Y
sshdChecker.sh Y Y Y Y Y Y Y Y Y N N N N N N N
time.sh Y11 Y11 Y Y Y Y Y Y Y Y Y11 Y Y Y Y Y
top.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
update.sh Y Y Y Y N N N N N N N N N N Y Y
uptime.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
usersWithoginPrivs.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
version.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
vmstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N
vsfptdChecker.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
who.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y

Notes

  1. Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to <n/a> because netstat on Solaris 10 and 11 does not provide this information.
  2. Supported, requires dlstat.
  3. Not supported, sar is not available.
  4. Not supported, /bin/darwin_disk_stats is not available.
  5. Supported, script indexes Header information as an extra event.
  6. Not supported, pkg_info is deprecated.
  7. Supported, COMMAND field value is truncated.
  8. Supported, error log messages are included.
  9. Supported, requires ausearch.
  10. Not supported, chkconfig is not available.
  11. Supported, requires ntpdate.
  12. Supported with only Linux OS configurations, requires the nfs-utils package.

Upgrade

Users upgrading to the Splunk Add-on for Unix and Linux version 7.0 from version 5.2.4 or earlier must follow prerequisite upgrade steps before performing the installation. See Upgrade the Splunk Add-on for Unix and Linux.

New features

Version 7.0 of the Splunk Add-on for Unix and Linux has the following new features:

  • Support for Python3

Fixed issues

Version 7.0 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Date resolved Issue number Description
2019-09-26 ADDON-21212 interfaces script throwing error when touching disabled and not configured interfaces.

Known issues

Version 7.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:


Date filed Issue number Description
2020-04-24 ADDON-26293 Field values gets broke when values has space for 'lsof' and 'userswithloginprivs' source types
2020-04-24 ADDON-26292 Additional error of broken pipe is getting logged under splunkd.log along with correct data for cpu.sh on Solaris OS
2020-04-24 ADDON-26291 Fields are not getting extracted for 'auditd', 'lastlog' and 'netstat' Source type
2019-02-05 ADDON-21209 'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations
2019-01-31 ADDON-21184 service.sh outputs time as a service
2018-04-18 ADDON-17753 Truncation of COMMAND field value in UI of FreeBSD 9,10 and 11 version
2018-04-03 ADDON-17607 openPorts.sh script indexed "Header" information into Splunk as an extra event.

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.


Version 6.0.2

Version 6.0.2 of the Splunk Add-on for Unix and Linux was released on February 18, 2019.

The Splunk Add-on for Unix and Linux 6.0.0 introduced breaking changes. If you are upgrading from an earlier version of the Splunk Add-on for Unix and Linux, you must follow the steps outlined in Upgrade the Splunk Add-on for Unix and Linux. Failure to do so can result in data loss.

Compatibility

Version 6.0.2 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM 4.12
Supported OS for data collection All supported Unix operating systems. See Unix operating systems.
Vendor products All supported Unix operating systems. See Unix operating systems.

Script compatibility

Script CentOS RHEL Ubuntu Solaris AIX FreeBSD Mac OS X
6 7 7.4 6.9 14.04 16.04 10 11.3 11.0 7.1 7.2 9 10 11 10.11 10.12
bandwidth.sh Y Y Y Y Y Y Y1 Y2 Y Y Y N3 N3 N3 Y N3
common.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
cpu.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N3
df.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
hardware.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
interfaces.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
iostat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y N4 N4
lastlog.sh Y Y Y Y Y Y Y Y Y N N Y Y Y Y Y
lsof.sh Y Y Y Y Y Y N N N N N N N N Y Y
netstat.sh Y Y Y Y Y Y N N N N N N N N N N
nfsiostat.sh12 Y Y Y Y Y Y N N N N N N N N N N
openPorts.sh Y5 Y5 Y5 Y5 Y Y Y5 Y5 Y5 Y Y Y Y Y Y Y
openPortsEnhanced.sh Y Y Y Y Y Y Y Y Y N N N N N Y Y
package.sh Y Y Y Y Y Y Y Y Y Y Y Y N6 N6 Y Y
passwd.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
protocol.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
ps.sh Y Y Y Y Y Y Y Y Y Y Y Y7 Y7 Y7 Y Y
rlog.sh Y Y8 Y8 Y Y9 Y N N N N N N N N N N
selinuxChecker.sh Y Y Y Y Y N N N N N N N N N N N
service.sh Y Y Y Y N10 Y Y Y Y N N N N N Y Y
sshdChecker.sh Y Y Y Y Y Y Y Y Y N N N N N N N
time.sh Y11 Y11 Y Y Y Y Y Y Y Y Y11 Y Y Y Y Y
top.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
update.sh Y Y Y Y N N N N N N N N N N Y Y
uptime.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
usersWithoginPrivs.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
version.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
vmstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N
vsfptdChecker.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
who.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y

Notes

  1. Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to <n/a> because netstat on Solaris 10 and 11 does not provide this information.
  2. Supported, requires dlstat.
  3. Not supported, sar is not available.
  4. Not supported, /bin/darwin_disk_stats is not available.
  5. Supported, script indexes Header information as an extra event.
  6. Not supported, pkg_info is deprecated.
  7. Supported, COMMAND field value is truncated.
  8. Supported, error log messages are included.
  9. Supported, requires ausearch.
  10. Not supported, chkconfig is not available.
  11. Supported, requires ntpdate.
  12. Supported with only Linux OS configurations, requires the nfs-utils package.

Upgrade

Users upgrading to the Splunk Add-on for Unix and Linux version 6.0.2 from version 5.2.4 or earlier must follow prerequisite upgrade steps before performing the installation. See Upgrade the Splunk Add-on for Unix and Linux.

New features

Version 6.0.2 of the Splunk Add-on for Unix and Linux has the following new features:

Fixed issues

Version 6.0.2 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Date resolved Issue number Description
2019-02-04 ADDON-20084 For CIM All_Application_State model field service is labeled as "Unknown"
2019-01-17 ADDON-17448 CPU core is not properly indexed with Splunk_TA_nix with FreeBSD11 OS
2018-12-19 ADDON-17431 Eventtype unix_runlevel_change name mismatch in eventtypes.conf and tags.conf

Known issues

Version 6.0.1 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:


Date filed Issue number Description
2019-10-11 ADDON-23937 interfaces script throwing error when touching disabled and not configured interfaces - familysearch.splunkcloud.com
2019-09-12 ADDON-23291 iostat.sh causes Indexing queues to fill using default props setting
2019-09-12 ADDON-23292, ADDON-16135 Search Job Alerts for Splunk defined eventtype

Workaround:
None known
2019-02-05 ADDON-21209 'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations
2019-01-31 ADDON-21184 service.sh outputs time as a service
2018-04-19 ADDON-17763 Getting error log message into SplunkD for rlog.sh script execution for CentOS 7 and RHEL 7.4

Workaround:
Replace

if [ -n "`service auditd status`" -a "$?" -eq 0 ] ; then{code}

in rlog.sh script with

if [ -n "`service auditd status 2>/dev/null`" -a "$?" -eq 0 ] ; then{code}

2018-04-18 ADDON-17753 Truncation of COMMAND field value in UI of FreeBSD 9,10 and 11 version
2018-04-03 ADDON-17607 openPorts.sh script indexed "Header" information into Splunk as an extra event.
2018-03-27 ADDON-17560 Data is not getting indexed for service.sh in Ubuntu 14.04

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.



Version 6.0.1

Version 6.0.1 of the Splunk Add-on for Unix and Linux was released on September 20, 2018.

The Splunk Add-on for Unix and Linux 6.0.0 introduced breaking changes. If you are upgrading from an earlier version of the Splunk Add-on for Unix and Linux, you must follow the steps outlined in Upgrade the Splunk Add-on for Unix and Linux. Failure to do so can result in data loss.

Compatibility

Version 6.0.1 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM 4.11
Supported OS for data collection All supported Unix operating systems. See Unix operating systems.
Vendor products All supported Unix operating systems. See Unix operating systems.

Script compatibility

Script CentOS RHEL Ubuntu Solaris AIX FreeBSD Mac OS X
6 7 7.4 6.9 14.04 16.04 10 11.3 11.0 7.1 7.2 9 10 11 10.11 10.12
bandwidth.sh Y Y Y Y Y Y Y1 Y2 Y Y Y N3 N3 N3 Y N3
common.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
cpu.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N3
df.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
hardware.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
interfaces.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
iostat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y N4 N4
lastlog.sh Y Y Y Y Y Y Y Y Y N N Y Y Y Y Y
lsof.sh Y Y Y Y Y Y N N N N N N N N Y Y
netstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
openPorts.sh Y5 Y5 Y5 Y5 Y Y Y5 Y5 Y5 Y Y Y Y Y Y Y
openPortsEnhanced.sh Y Y Y Y Y Y Y Y Y N N N N N Y Y
package.sh Y Y Y Y Y Y Y Y Y Y Y Y N6 N6 Y Y
passwd.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
protocol.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
ps.sh Y Y Y Y Y Y Y Y Y Y Y Y7 Y7 Y7 Y Y
rlog.sh Y Y8 Y8 Y Y9 Y N N N N N N N N N N
selinuxChecker.sh Y Y Y Y Y N N N N N N N N N N N
service.sh Y Y Y Y N10 Y Y Y Y N N N N N Y Y
sshdChecker.sh Y Y Y Y Y Y Y Y Y N N N N N N N
time.sh Y11 Y11 Y Y Y Y Y Y Y Y Y11 Y Y Y Y Y
top.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
update.sh Y Y Y Y N N N N N N N N N N Y Y
uptime.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
usersWithoginPrivs.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
version.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
vmstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N
vsfptdChecker.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
who.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y

Notes

  1. Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to <n/a> because netstat on Solaris 10 and 11 does not provide this information.
  2. Supported, requires dlstat.
  3. Not supported, sar is not available.
  4. Not supported, /bin/darwin_disk_stats is not available.
  5. Supported, script indexes Header information as an extra event.
  6. Not supported, pkg_info is deprecated.
  7. Supported, COMMAND field value is truncated.
  8. Supported, error log messages are included.
  9. Supported, requires ausearch.
  10. Not supported, chkconfig is not available.
  11. Supported, requires ntpdate.

Upgrade

Users upgrading to the Splunk Add-on for Unix and Linux version 6.0.1 from version 5.2.4 or earlier must follow prerequisite upgrade steps before performing the installation. See Upgrade the Splunk Add-on for Unix and Linux.

New features

The Splunk Add-on for Unix and Linux version 6.0.1 has the following new features:

  • Supported extraction for the cpu_instance field. Earlier versions extracted only cpu=all. Version 6.0.1 can extract field values for individual core numbers in addition to cpu=all.
  • Supported extraction for the mem_page_in and mem_page_out field
  • Supported extraction for the swap_percent field
  • Supported extraction for the cpu_architecture field

Fixed issues

Version 6.0.1 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Date resolved Issue number Description
2018-09-05 ADDON-19194 Incorrect value in swapUsedPct field in FreeBSD os
2018-09-04 ADDON-18051 Extract cpu_instance field (ITSI OS Module requirement)
2018-09-02 ADDON-18093 Extract field swap_percent (ITSI OS Module requirement)
2018-08-30 ADDON-18095 Extract fields mem_page_in and mem_page_out (ITSI OS Module requirement)
2018-08-27 ADDON-18042 Extract cpu_architecture field (ITSI OS Module requirement)

Known issues

Version 6.0.1 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:


Date filed Issue number Description
2019-02-05 ADDON-21209 'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations
2019-01-31 ADDON-21184 service.sh outputs time as a service
2018-10-24 ADDON-20084 For CIM All_Application_State model field service is labeled as "Unknown"
2018-04-19 ADDON-17763 Getting error log message into SplunkD for rlog.sh script execution for CentOS 7 and RHEL 7.4

Workaround:
Replace

if [ -n "`service auditd status`" -a "$?" -eq 0 ] ; then{code}

in rlog.sh script with

if [ -n "`service auditd status 2>/dev/null`" -a "$?" -eq 0 ] ; then{code}

2018-04-18 ADDON-17753 Truncation of COMMAND field value in UI of FreeBSD 9,10 and 11 version
2018-04-03 ADDON-17607 openPorts.sh script indexed "Header" information into Splunk as an extra event.

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 6.0.0

Version 6.0.0 of the Splunk Add-on for Unix and Linux was released on June 21, 2018.

The Splunk Add-on for Unix and Linux 6.0.0 introduces breaking changes. If you are upgrading from a previous version of the Splunk Add-on for Unix and Linux, you must follow the steps outlined in Upgrade the Splunk Add-on for Unix and Linux. Failure to do so can result in data loss.

Compatibility

Version 6.0.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.5.x, 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM 4.11
Supported OS for data collection All supported Unix operating systems. See Unix operating systems.
Vendor products All supported Unix operating systems. See Unix operating systems.

Script compatibility

Script CentOS RHEL Ubuntu Solaris AIX FreeBSD Mac OS X
6 7 7.4 6.9 14.04 16.04 10 11.3 11.0 7.1 7.2 9 10 11 10.11 10.12
bandwidth.sh Y Y Y Y Y Y Y1 Y2 Y Y Y N3 N3 N3 Y N3
common.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
cpu.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N3
df.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
hardware.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
interfaces.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
iostat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y N4 N4
lastlog.sh Y Y Y Y Y Y Y Y Y N N Y Y Y Y Y
lsof.sh Y Y Y Y Y Y N N N N N N N N Y Y
netstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
openPorts.sh Y5 Y5 Y5 Y5 Y Y Y5 Y5 Y5 Y Y Y Y Y Y Y
openPortsEnhanced.sh Y Y Y Y Y Y Y Y Y N N N N N Y Y
package.sh Y Y Y Y Y Y Y Y Y Y Y Y N6 N6 Y Y
passwd.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
protocol.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
ps.sh Y Y Y Y Y Y Y Y Y Y Y Y7 Y7 Y7 Y Y
rlog.sh Y Y8 Y8 Y Y9 Y N N N N N N N N N N
selinuxChecker.sh Y Y Y Y Y N N N N N N N N N N N
service.sh Y Y Y Y N10 Y Y Y Y N N N N N Y Y
sshdChecker.sh Y Y Y Y Y Y Y Y Y N N N N N N N
time.sh Y11 Y11 Y Y Y Y Y Y Y Y Y11 Y Y Y Y Y
top.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
update.sh Y Y Y Y N N N N N N N N N N Y Y
uptime.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
usersWithoginPrivs.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
version.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
vmstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N
vsfptdChecker.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
who.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y

Notes

  1. Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to <n/a> because netstat on Solaris 10 and 11 does not provide this information.
  2. Supported, requires dlstat.
  3. Not supported, sar is not available.
  4. Not supported, /bin/darwin_disk_stats is not available.
  5. Supported, script indexes Header information as an extra event.
  6. Not supported, pkg_info is deprecated.
  7. Supported, COMMAND field value is truncated.
  8. Supported, error log messages are included.
  9. Supported, requires ausearch.
  10. Not supported, chkconfig is not available.
  11. Supported, requires ntpdate.

Upgrade

All users upgrading to the Splunk Add-on for Unix and Linux version 6.0.0 must follow the prerequisite upgrade steps before performing the installation. See Upgrade the Splunk Add-on for Unix and Linux.

New features

Version 6.0.0 of the Splunk Add-on for Unix and Linux contains the following new and changed features:

  • Added support for RedHat Enterprise Linux 7
  • Added support for Solaris 10 and Solaris 11
  • Linux scripts migrated from net-tools to iproute2 to support current Linux releases

Script updates

  • netstat.sh (sourcetype=netstat) is updated. The Proto field no longer contains the IP address type and the State field value is truncated.
    Proto  Recv-Q  Send-Q  LocalAddress          ForeignAddress        State
    tcp         0       0  127.0.0.1:53350       127.0.0.1:8191        ESTAB
    tcp         0       0  127.0.0.1:8191        127.0.0.1:53324       ESTAB
    tcp         0     128  :::22                 :::*                  LISTEN
    tcp         0     100  ::1:25                :::*                  LISTEN
    
  • openPorts.sh (sourcetype=openPorts) is updated. The protocol field no longer contains the IP address type.
    tcp 22
    tcp 8089
    tcp 25
    tcp 8191
    tcp 8000
    tcp 8065
    tcp 22
    tcp 25
    
  • interfaces.sh (sourcetype=interfaces) is updated. The inetAddr field now contains the netmask.
    Name  MAC                inetAddr       inet6Addr                    Collisions  RXbytes    RXerrors  TXbytes  TXerrors  Speed      Duplex
    eth0  00:50:56:95:a4:f7  10.0.3.235/20  fe80::250:56ff:fe95:a4f7/64  0           620790375  0         2982390  0         10000Mb/s  Full
    
  • lastlog.sh (sourcetype=lastlog) is updated. The LATEST field no longer contains the seconds and year in the timestamp, and the FROM field only contains an IP address.
    USERNAME                        FROM                            LATEST
    user1                           10.0.1.1                        Thu Mar 29 13:04
    user2                           10.0.1.1                        Mon Apr 9 14:34
    

Fixed issues

Version 6.0.0 of the Splunk Add-on for Unix and Linux fixed the following issues:


Date resolved Issue number Description
2018-04-12 ADDON-14093 vmstat script error on AIX
2018-03-30 ADDON-12085 recursive search for bash_histories is expensive
2018-03-27 ADDON-14719 Add-on not Supporting current OS Releases
2018-03-27 ADDON-12862, ADDON-12805 vmstat.sh thows ExecProcessor errors on machines with Infiband interfaces
2018-03-23 ADDON-13986 cpu.sh indexed output is missing core number.

Known issues

If no issues appear here, no issues have yet been reported.

Version 6.0.0 of the Splunk Add-on for Unix and Linux has the following known issues:


Date filed Issue number Description
2019-02-05 ADDON-21212 interfaces script throwing error when touching disabled and not configured interfaces.
2019-02-05 ADDON-21209 'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations
2019-01-31 ADDON-21184 service.sh outputs time as a service
2018-04-19 ADDON-17763 Getting error log message into SplunkD for rlog.sh script execution for CentOS 7 and RHEL 7.4

Workaround:
Replace

if [ -n "`service auditd status`" -a "$?" -eq 0 ] ; then{code}

in rlog.sh script with

if [ -n "`service auditd status 2>/dev/null`" -a "$?" -eq 0 ] ; then{code}

2018-04-18 ADDON-17753 Truncation of COMMAND field value in UI of FreeBSD 9,10 and 11 version
2018-04-03 ADDON-17607 openPorts.sh script indexed "Header" information into Splunk as an extra event.
2018-03-27 ADDON-17560 Data is not getting indexed for service.sh in Ubuntu 14.04

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 5.2.4

The Splunk Add-on for Unix and Linux was last updated in December 2017.

What's new

See the known issues and fixed issues of these release notes for product updates.

Fixed issues

Version 5.2.4 of the Splunk Add-on for Unix and Linux fixed the following issues:


Date resolved Issue number Description
2017-04-17 ADDON-8472 Logic failure in rlog.sh creates duplicates when the seekpointer file cannot be updated and silently fails
2017-03-28 ADDON-13680 The dest field is not extracted for some events

Known Issues

Version 5.2.4 of the Splunk Add-on for Unix and Linux has the following known issues:


Date filed Issue number Description
2019-04-24 ADDON-21887 cpu.sh and vmstat.sh return aggregate results for SunOS as opposed to snapshot

Workaround:
Current workaround is to implement (for example):

mpstat -p 1 2

as opposed to mpstat -p 1 1 to reflect the most recent non-aggregated result from the script output.

2018-08-27 ADDON-19194 Incorrect value in swapUsedPct field in FreeBSD os
2018-04-18 ADDON-17753 Truncation of COMMAND field value in UI of FreeBSD 9,10 and 11 version
2018-04-18 ADDON-17747 package.sh not working in FreeBSD 10 and FreeBSD 11
2018-04-03 ADDON-17607 openPorts.sh script indexed "Header" information into Splunk as an extra event.
2018-03-28 ADDON-17571 AWS TA and *nix TA lack spec files for eventgen.conf, which causes cluster bundle validation errors, and breaks Manage Indexes page in clustered Splunk Cloud

Workaround:
Splunk Cloud customers who cannot create indexes on their own due to this bug should file a support case when they need new indexes created.
2018-03-20 ADDON-17448 CPU core is not properly indexed with Splunk_TA_nix with FreeBSD11 OS
2018-03-19 ADDON-17431 Eventtype unix_runlevel_change name mismatch in eventtypes.conf and tags.conf
2017-03-13 ADDON-14093 vmstat script error on AIX
2017-03-06 ADDON-13986 cpu.sh indexed output is missing core number.

Workaround:
Edit contents of cpu.sh script as follows:

#Need to change to always be 24Hour time with export LC_TIME=POSIX export LC_TIME='POSIX' FORMAT='{cpu=$2; pctUser=$3; pctNice=$4; pctSystem=$5; pctIowait=$6; pctSteal=$7; pctIdle=$NF}'

2016-11-10 ADDON-12085 recursive search for bash_histories is expensive

Version 5.2.3

The Splunk Add-on for Unix and Linux was last updated on April 5, 2016.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

Publication date Defect number Description
2016-4-5 TAG-11060 The add-on has been updated to provide better support for Key Performance Indicators (KPIs) for the Splunk IT Service Intelligence OS Module.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

Publication date Defect number Description
2016-2-29 TAG-10164 On some versions of Linux (for example, RedHat), the rlog.sh scripted input improperly calls for the status of the auditd service, which forces the OS to redirect the call to the right service and generates an error in splunkd.log.
2015-12-15 TAG-4275 The scripts that come with the add-on rely on system utilities to run properly. If those utilities are not present, the scripts exit silently.

Change Log (what's been fixed)

Publication date Defect number Description
2016-4-5 TAG-11059 The add-on has been updated to provide better support for Key Performance Indicators (KPIs) for the Splunk IT Service Intelligence OS Module.

Version 5.2.2

The Splunk Add-on for Unix and Linux was last updated on February 29, 2016.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

Publication date Defect number Description
2016-2-29 N/A Bug fixes.
2016-2-29 TAG-10606 Event type definitions in the add-on have been updated to improve performance.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

Publication date Defect number Description
2016-2-29 TAG-10164 On some versions of Linux (for example, RedHat), the rlog.sh scripted input improperly calls for the status of the auditd service, which forces the OS to redirect the call to the right service and generates an error in splunkd.log.
2015-12-15 TAG-4275 The scripts that come with the add-on rely on system utilities to run properly. If those utilities are not present, the scripts exit silently.

Change Log (what's been fixed)

Publication date Defect number Description
2016-2-29 TAG-10606 Event type definitions in the add-on have been updated to improve performance.
2016-2-29 TAG-10537 The add-on now determines the correct operating system version numbers on hosts that run AIX and Solaris.
2016-2-29 TAG-10474 A typo in a field transformation that referenced an invalid FORMAT argument has been fixed.
2016-2-29 TAG-9922 The add-on has been updated to not expose file and scripted input configuration controls on Splunk Cloud installations.

Version 5.2.1

The Splunk Add-on for Unix and Linux was last updated on December 15, 2015.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

Publication date Defect number Description
2015-12-15 N/A Bug fixes.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

Publication date Defect number Description
2015-12-15 TAG-4275 On hosts that run AIX, the vmstat.sh script does not produce output.


Change Log (what's been fixed)

Publication date Defect number Description
2015-12-15 TAG-10147 A problem with vmstat.sh where space-delimited and tab-delimited entries were intermingled was fixed.
2015-12-15 TAG-10213 The add-on has been updated to move some of the data it collects into a data model. This is for use with the OS Module for Splunk IT Service Intelligence.
2015-12-15 TAG-4211 A problem where the rlog.sh and [monitor://var/log] stanzas within the add-on collected audit.log twice (in different ways) was fixed.

Version 5.2.0

The Splunk Add-on for Unix and Linux was last updated on September 18, 2015.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

Publication date Defect number Description
2015-9-18 N/A Bug fixes.
2015-9-18 N/A The app has been updated to be compatible with Splunk Enterprise version 6.3.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

Publication date Defect number Description
2015-10-13 TAG-4211 The rlog.sh scripted input and [monitor:///var/log] input stanza both collect audit.log, although in slightly different formats. This might result in duplicate data collection. To work around this problem, add a blacklist to the [monitor:///var/log] stanza:


[monitor:///var/log]
whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)
blacklist=(audit.log|lastlog|anaconda\.syslog)
index=os
disabled = 1


Change Log (what's been fixed)

Publication date Defect number Description
2015-9-18 TAG-9589 The add-on no longer breaks search-time extractions for syslog on upgrade.
2015-9-18 TAG-9482 The add-on no longer reports incorrect CPU usage when installed on a Solaris 10 host.
2015-9-18 TAG-9353 The storage, storage_used, and storage_free fields now display data in megabytes instead of bytes.
2015-9-18 TAG-9312 The rlog.sh scripted input now reads the first line of the audit.log file. This fixes a problem where events in Splunk Enterprise did not reflect all contents of the file.
2015-9-18 TAG-9220 The package.sh scripted input now populates the RELEASE field on Debian Linux systems.
2015-9-18 TAG-3913 The regular expression that defines line breaking patterns for the add-on no longer generates spurious errors in the line-breaking processor.

Version 5.1.2

The Splunk Add-on for Unix and Linux was last updated on April 1, 2015.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

  • Bug fixes.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

  • The values for total, used, and free memory that the vmstat.sh script displays differ from the values that the native vmstat command displays. This is because vmstat.sh counts swap cache memory and buffer memory as part of the total free memory available, and subtracts this from total memory to get used memory. This is by design. (TAG-4014, TAG-9010)
  • The vmstat scripted input does not work on AIX. (TAG-4518)
  • On Linux systems, the cpu.sh script does not display the %steal CPU counter. (TAG-4114)
  • Due to how Mac OS X configures OpenSSL, any Splunk Add-on for Unix and Linux scripts that use a hash (such as openPortsEnhanced.sh, passwd.sh, and sshdChecker.sh) do not work by default. To work around the problem, set the DYLD_LIBRARY_PATH variable as follows:
export SPLUNK_HOME=<location of Splunk installation>
export DYLD_LIBRARY_PATH=$SPLUNK_HOME/lib

(NIX-649, SPL-78856)

  • Using the latest version of Sideview Utils with the add-on causes a problem where dashboards do not populate despite the availability of data. To work around the problem, use version 1.3.5 or earlier of Sideview Utils. (NIX-646)
  • When you install the app and point it at the indexes which contain your *nix data, it might take up to 15 seconds for that data to begin showing up in the app. This is due to lookup generation. (NIX-467)
  • The colors in the Metrics Viewer graphs do not update correctly if you transpose sliders in the Metrics Viewer's threshold bar. (NIX-428)
  • When in node view, the Hosts dashboard sometimes shows inconsistent colors with respect to the detailed view colors. (NIX-353, NIX-409)
  • When you use Firefox to access the Splunk App for Unix and Linux, the radial graphs in the Home dashboard sometimes do not display correctly. The slices within the graphs sometimes spill out of their containers. To work around the problem, refresh the page. (NIX-370, NIX-413)
  • On HP/UX systems, there is no way to obtain the number of threads on a system. This means that the vmstat scripted inputs will always return "?" for threads columns on HP/UX.
  • On Solaris systems, the hardware.sh scripted input sometimes returns empty values for some entries. (NIX-42)
  • If you clone an existing alert saved search, you cannot edit the search using the "Settings: Alerts" configuration page. (NIX-537)
  • You cannot create custom alerts using Splunk Web; you must do so with configuration files. (NIX-536)
  • If you remove the default group, you sometimes receive an error "Unknown search command: 'all'" when you load the Home page. (NIX-560)
  • In the Hosts page, if you do not wait for all data on a host information card to load before pinning that card, when you select another host, the original host information card does not remain pinned. (NIX-320)
  • The app's scripted inputs do not work when the directory that they are hosted in contains spaces. This is particularly an issue with Mac OS X. (NIX-570)
  • The full-screen NOC screen legends do not display correctly in Chrome. (NIX-584)
  • You are not able to drill down into a specific host on the Hosts dashboard. (NIX-587)

Change Log (what's been fixed)

  • Copyright information for the add-on has been updated and corrected. (TAG-9244)
  • The add-on no longer incorrectly displays in the Splunk Light Dashboards page. (TAG-9182)
  • The su_authentication event type within the add-on now has better su command event-matching logic. (TAG-8938)
  • The uptime.sh script in the add-on now handles ps output properly on HP-UX machines. (TAG-4204)
  • An unnecessary transform for WMI installed apps has been removed. (TAG-4191)
  • The top.sh script now accounts for the fact that, starting with Mac OS X version 10.9 Mavericks and later, there is no rshrd (resident shared address space size) statistic for the top command. On Mac OSX 10.9 Mavericks and later, the script now outputs "?" for that statistic, instead of generating an error. (TAG-4077)
  • The add-on no longer attempts to automatically learn new source types when you tell it to monitor large directories. (TAG-3986)

Version 5.1.1

The Splunk Add-on for Unix and Linux was last updated on February 13, 2015.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

  • Bug fixes.
  • Feature additions to better work with Splunk Light (TAG-3983, TAG-8913).

Current known issues

The Splunk App for Unix and Linux has the following known issues:

  • The values for total, used, and free memory that the vmstat.sh script displays differ from the values displayed by the native vmstat command. This is because vmstat.sh counts swap cache memory and buffer memory as part of the total free memory available, and subtracts this from total memory to get used memory. This is by design. (TAG-4014, TAG-9010)
  • On Linux systems, the cpu.sh script does not display the %steal CPU counter. (TAG-4114)
  • Due to how Mac OS X configures OpenSSL, any Splunk Add-on for Unix and Linux scripts that use a hash (such as openPortsEnhanced.sh, passwd.sh, and sshdChecker.sh) do not work by default. To work around the problem, set the DYLD_LIBRARY_PATH variable as follows:
export SPLUNK_HOME=<location of Splunk installation>
export DYLD_LIBRARY_PATH=$SPLUNK_HOME/lib

(NIX-649, SPL-78856)

  • Using the latest version of Sideview Utils with the add-on causes a problem where dashboards do not populate despite the availability of data. To work around the problem, use version 1.3.5 or earlier of Sideview Utils. (NIX-646)
  • When you install the app and point it at the indexes which contain your *nix data, it might take up to 15 seconds for that data to begin showing up in the app. This is due to lookup generation. (NIX-467)
  • The colors in the Metrics Viewer graphs do not update correctly if you transpose sliders in the Metrics Viewer's threshold bar. (NIX-428)
  • When in node view, the Hosts dashboard sometimes shows inconsistent colors with respect to the detailed view colors. (NIX-353, NIX-409)
  • When you use Firefox to access the Splunk App for Unix and Linux, the radial graphs in the Home dashboard sometimes do not display correctly. The slices within the graphs sometimes spill out of their containers. To work around the problem, refresh the page. (NIX-370, NIX-413)
  • On HP/UX systems, there is no way to obtain the number of threads on a system. This means that the vmstat scripted inputs will always return "?" for threads columns on HP/UX.
  • On Solaris systems, the hardware.sh scripted input sometimes returns empty values for some entries. (NIX-42)
  • If you clone an existing alert saved search, you cannot edit the search using the "Settings: Alerts" configuration page. (NIX-537)
  • You cannot create custom alerts using Splunk Web; you must do so with configuration files. (NIX-536)
  • If you remove the default group, you sometimes receive an error "Unknown search command: 'all'" when you load the Home page. (NIX-560)
  • In the Hosts page, if you do not wait for all data on a host information card to load before pinning that card, when you select another host, the original host information card does not remain pinned. (NIX-320)
  • The app's scripted inputs do not work when the directory that they are hosted in contains spaces. This is particularly an issue with Mac OS X. (NIX-570)
  • The full-screen NOC screen legends do not display correctly in Chrome. (NIX-584)
  • You are not able to drill down into a specific host on the Hosts dashboard. (NIX-587)

Change Log (what's been fixed)

  • A cosmetic issue with the "Reset" button on the add-on configuration page has been fixed. (TAG-3976)
  • The documentation links in the add-on now go to valid places. (TAG-4421)

Version 5.1.0

The Splunk Add-on for Unix and Linux was last updated on October 6, 2014.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

  • Bug fixes.
  • Feature additions to better work with the Splunk App for Enterprise Security.
  • The add-on now contains some knowledge layer improvements. (NIX-638)
  • The add-on now normalizes timestamps to work with the Change_Analysis data model. (NIX-668)
  • The add-on now has higher-resolution icons. (NIX-660)

Current known issues

The Splunk App for Unix and Linux has the following known issues:

  • The values for total, used, and free memory that the vmstat.sh script displays differ from the values displayed by the native vmstat command. This is because vmstat.sh counts swap cache memory and buffer memory as part of the total free memory available, and subtracts this from total memory to get used memory. This is by design. (TAG-4014, TAG-9010)
  • Due to how Mac OS X configures OpenSSL, any Splunk Add-on for Unix and Linux scripts that use a hash (such as openPortsEnhanced.sh, passwd.sh, and sshdChecker.sh) do not work by default. To work around the problem, set the DYLD_LIBRARY_PATH variable as follows:
export SPLUNK_HOME=<location of Splunk installation>
export DYLD_LIBRARY_PATH=$SPLUNK_HOME/lib

(NIX-649, SPL-78856)

  • Using the latest version of Sideview Utils with the add-on causes a problem where dashboards do not populate despite the availability of data. To work around the problem, use version 1.3.5 or earlier of Sideview Utils. (NIX-646)
  • When you install the app and point it at the indexes which contain your *nix data, it might take up to 15 seconds for that data to begin showing up in the app. This is due to lookup generation. (NIX-467)
  • The colors in the Metrics Viewer graphs do not update correctly if you transpose sliders in the Metrics Viewer's threshold bar. (NIX-428)
  • When in node view, the Hosts dashboard sometimes shows inconsistent colors with respect to the detailed view colors. (NIX-353, NIX-409)
  • When you use Firefox to access the Splunk App for Unix and Linux, the radial graphs in the Home dashboard sometimes do not display correctly. The slices within the graphs sometimes spill out of their containers. To work around the problem, refresh the page. (NIX-370, NIX-413)
  • On HP/UX systems, there is no way to obtain the number of threads on a system. This means that the vmstat scripted inputs will always return "?" for threads columns on HP/UX.
  • On Solaris systems, the hardware.sh scripted input sometimes returns empty values for some entries. (NIX-42)
  • If you clone an existing alert saved search, you cannot edit the search using the "Settings: Alerts" configuration page. (NIX-537)
  • You cannot create custom alerts using Splunk Web; you must do so with configuration files. (NIX-536)
  • If you remove the default group, you sometimes receive an error "Unknown search command: 'all'" when you load the Home page. (NIX-560)
  • In the Hosts page, if you do not wait for all data on a host information card to load before pinning that card, when you select another host, the original host information card does not remain pinned. (NIX-320)
  • The app's scripted inputs do not work when the directory that they are hosted in contains spaces. This is particularly an issue with Mac OS X. (NIX-570)
  • The full-screen NOC screen legends do not display correctly in Chrome. (NIX-584)
  • You are not able to drill down into a specific host on the Hosts dashboard. (NIX-587)

Change Log (what's been fixed)

  • A problem with the first-time run experience where a file rename would cause the experience to repeat continuously was fixed. (NIX-664)
  • A search macro definition for network monitoring that conflicted with a similar definition in the Splunk Add-on for Windows was corrected. (NIX-663)
  • Values defined within stanzas in some configuration files now have proper URI encodings. (NIX-656)
  • The vmstat.sh script now properly returns results on systems with more than one mass storage device. (NIX-648)
  • A problem where event type searches generated false positives because they include the summary index has been fixed. (NIX-644)
  • The Splunk Supporting App for Unix and Linux (SA-Nix) no longer overwrites the action field. (NIX-641)
  • A search-time field extraction that referenced the syslog source type has been removed. (NIX-634)
  • A typo in the version.sh script has been corrected. (NIX-630)
  • The setup.sh script now properly accepts the --auth argument. This enables users to use the script to log into their Splunk Enterprise instance while setting up the Splunk App for Unix and Linux from the command line. (NIX-624)
  • A customer-submitted patch to interfaces.sh improves how that script gathers network interface error statistics. (NIX-623)
Last modified on 09 December, 2021
PREVIOUS
Release notes for the Splunk Add-on for Unix and Linux
  NEXT
Hardware and software requirements for the Splunk Add-on for Unix and Linux

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters