Splunk® Supported Add-ons

Splunk Add-on for Unix and Linux

Download manual as PDF

Download topic as PDF

Release history for the Splunk Add-on for Unix and Linux

The latest version of the Splunk Add-on for Unix and Linux is version 6.0.2. See Release notes for the Splunk Add-on for Unix and Linux for release notes of this latest version.

Version 6.0.1

Version 6.0.1 of the Splunk Add-on for Unix and Linux was released on September 20, 2018.

The Splunk Add-on for Unix and Linux 6.0.0 introduced breaking changes. If you are upgrading from an earlier version of the Splunk Add-on for Unix and Linux, you must follow the steps outlined in Upgrade the Splunk Add-on for Unix and Linux. Failure to do so can result in data loss.

Compatibility

Version 6.0.1 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:

Splunk platform versions 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM 4.11
Supported OS for data collection All supported Unix operating systems. See Unix operating systems.
Vendor products All supported Unix operating systems. See Unix operating systems.

Script compatibility

Script CentOS RHEL Ubuntu Solaris AIX FreeBSD Mac OS X
6 7 7.4 6.9 14.04 16.04 10 11.3 11.0 7.1 7.2 9 10 11 10.11 10.12
bandwidth.sh Y Y Y Y Y Y Y1 Y2 Y Y Y N3 N3 N3 Y N3
common.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
cpu.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N3
df.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
hardware.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
interfaces.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
iostat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y N4 N4
lastlog.sh Y Y Y Y Y Y Y Y Y N N Y Y Y Y Y
lsof.sh Y Y Y Y Y Y N N N N N N N N Y Y
netstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
openPorts.sh Y5 Y5 Y5 Y5 Y Y Y5 Y5 Y5 Y Y Y Y Y Y Y
openPortsEnhanced.sh Y Y Y Y Y Y Y Y Y N N N N N Y Y
package.sh Y Y Y Y Y Y Y Y Y Y Y Y N6 N6 Y Y
passwd.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
protocol.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
ps.sh Y Y Y Y Y Y Y Y Y Y Y Y7 Y7 Y7 Y Y
rlog.sh Y Y8 Y8 Y Y9 Y N N N N N N N N N N
selinuxChecker.sh Y Y Y Y Y N N N N N N N N N N N
service.sh Y Y Y Y N10 Y Y Y Y N N N N N Y Y
sshdChecker.sh Y Y Y Y Y Y Y Y Y N N N N N N N
time.sh Y11 Y11 Y Y Y Y Y Y Y Y Y11 Y Y Y Y Y
top.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
update.sh Y Y Y Y N N N N N N N N N N Y Y
uptime.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
usersWithoginPrivs.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
version.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
vmstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N
vsfptdChecker.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
who.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y

Notes

  1. Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to <n/a> because netstat on Solaris 10 and 11 does not provide this information.
  2. Supported, requires dlstat.
  3. Not supported, sar is not available.
  4. Not supported, /bin/darwin_disk_stats is not available.
  5. Supported, script indexes Header information as an extra event.
  6. Not supported, pkg_info is deprecated.
  7. Supported, COMMAND field value is truncated.
  8. Supported, error log messages are included.
  9. Supported, requires ausearch.
  10. Not supported, chkconfig is not available.
  11. Supported, requires ntpdate.

Upgrade

Users upgrading to the Splunk Add-on for Unix and Linux version 6.0.1 from version 5.2.4 or earlier must follow prerequisite upgrade steps before performing the installation. See Upgrade the Splunk Add-on for Unix and Linux.

New features

The Splunk Add-on for Unix and Linux version 6.0.1 has the following new features:

  • Supported extraction for the cpu_instance field. Earlier versions extracted only cpu=all. Version 6.0.1 can extract field values for individual core numbers in addition to cpu=all.
  • Supported extraction for the mem_page_in and mem_page_out field
  • Supported extraction for the swap_percent field
  • Supported extraction for the cpu_architecture field

Fixed issues

Version 6.0.1 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Date resolved Issue number Description
2018-09-05 ADDON-19194 Incorrect value in swapUsedPct field in FreeBSD os
2018-09-04 ADDON-18051 Extract cpu_instance field (ITSI OS Module requirement)
2018-09-02 ADDON-18093 Extract field swap_percent (ITSI OS Module requirement)
2018-08-30 ADDON-18095 Extract fields mem_page_in and mem_page_out (ITSI OS Module requirement)
2018-08-27 ADDON-18042 Extract cpu_architecture field (ITSI OS Module requirement)

Known issues

Version 6.0.1 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Date filed Issue number Description
2019-02-05 ADDON-21209 'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations
2019-01-31 ADDON-21184 service.sh outputs time as a service
2018-10-24 ADDON-20084 For CIM All_Application_State model field service is labeled as "Unknown"
2018-04-19 ADDON-17763 Getting error log message into SplunkD for rlog.sh script execution for CentOS 7 and RHEL 7.4

Workaround:
Replace

if [ -n "`service auditd status`" -a "$?" -eq 0 ] ; then{code}

in rlog.sh script with

if [ -n "`service auditd status 2>/dev/null`" -a "$?" -eq 0 ] ; then{code}

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 6.0.0

Version 6.0.0 of the Splunk Add-on for Unix and Linux was released on June 21, 2018.

The Splunk Add-on for Unix and Linux 6.0.0 introduces breaking changes. If you are upgrading from a previous version of the Splunk Add-on for Unix and Linux, you must follow the steps outlined in Upgrade the Splunk Add-on for Unix and Linux. Failure to do so can result in data loss.

Compatibility

Version 6.0.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.5.x, 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM 4.11
Supported OS for data collection All supported Unix operating systems. See Unix operating systems.
Vendor products All supported Unix operating systems. See Unix operating systems.

Script compatibility

Script CentOS RHEL Ubuntu Solaris AIX FreeBSD Mac OS X
6 7 7.4 6.9 14.04 16.04 10 11.3 11.0 7.1 7.2 9 10 11 10.11 10.12
bandwidth.sh Y Y Y Y Y Y Y1 Y2 Y Y Y N3 N3 N3 Y N3
common.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
cpu.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N3
df.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
hardware.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
interfaces.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
iostat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y N4 N4
lastlog.sh Y Y Y Y Y Y Y Y Y N N Y Y Y Y Y
lsof.sh Y Y Y Y Y Y N N N N N N N N Y Y
netstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
openPorts.sh Y5 Y5 Y5 Y5 Y Y Y5 Y5 Y5 Y Y Y Y Y Y Y
openPortsEnhanced.sh Y Y Y Y Y Y Y Y Y N N N N N Y Y
package.sh Y Y Y Y Y Y Y Y Y Y Y Y N6 N6 Y Y
passwd.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
protocol.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
ps.sh Y Y Y Y Y Y Y Y Y Y Y Y7 Y7 Y7 Y Y
rlog.sh Y Y8 Y8 Y Y9 Y N N N N N N N N N N
selinuxChecker.sh Y Y Y Y Y N N N N N N N N N N N
service.sh Y Y Y Y N10 Y Y Y Y N N N N N Y Y
sshdChecker.sh Y Y Y Y Y Y Y Y Y N N N N N N N
time.sh Y11 Y11 Y Y Y Y Y Y Y Y Y11 Y Y Y Y Y
top.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
update.sh Y Y Y Y N N N N N N N N N N Y Y
uptime.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
usersWithoginPrivs.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
version.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
vmstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N
vsfptdChecker.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
who.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y

Notes

  1. Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to <n/a> because netstat on Solaris 10 and 11 does not provide this information.
  2. Supported, requires dlstat.
  3. Not supported, sar is not available.
  4. Not supported, /bin/darwin_disk_stats is not available.
  5. Supported, script indexes Header information as an extra event.
  6. Not supported, pkg_info is deprecated.
  7. Supported, COMMAND field value is truncated.
  8. Supported, error log messages are included.
  9. Supported, requires ausearch.
  10. Not supported, chkconfig is not available.
  11. Supported, requires ntpdate.

Upgrade

All users upgrading to the Splunk Add-on for Unix and Linux version 6.0.0 must follow the prerequisite upgrade steps before performing the installation. See Upgrade the Splunk Add-on for Unix and Linux.

New features

Version 6.0.0 of the Splunk Add-on for Unix and Linux contains the following new and changed features:

  • Added support for RedHat Enterprise Linux 7
  • Added support for Solaris 10 and Solaris 11
  • Linux scripts migrated from net-tools to iproute2 to support current Linux releases

Script updates

  • netstat.sh (sourcetype=netstat) is updated. The Proto field no longer contains the IP address type and the State field value is truncated.
    Proto  Recv-Q  Send-Q  LocalAddress          ForeignAddress        State
    tcp         0       0  127.0.0.1:53350       127.0.0.1:8191        ESTAB
    tcp         0       0  127.0.0.1:8191        127.0.0.1:53324       ESTAB
    tcp         0     128  :::22                 :::*                  LISTEN
    tcp         0     100  ::1:25                :::*                  LISTEN
    
  • openPorts.sh (sourcetype=openPorts) is updated. The protocol field no longer contains the IP address type.
    tcp 22
    tcp 8089
    tcp 25
    tcp 8191
    tcp 8000
    tcp 8065
    tcp 22
    tcp 25
    
  • interfaces.sh (sourcetype=interfaces) is updated. The inetAddr field now contains the netmask.
    Name  MAC                inetAddr       inet6Addr                    Collisions  RXbytes    RXerrors  TXbytes  TXerrors  Speed      Duplex
    eth0  00:50:56:95:a4:f7  10.0.3.235/20  fe80::250:56ff:fe95:a4f7/64  0           620790375  0         2982390  0         10000Mb/s  Full
    
  • lastlog.sh (sourcetype=lastlog) is updated. The LATEST field no longer contains the seconds and year in the timestamp, and the FROM field only contains an IP address.
    USERNAME                        FROM                            LATEST
    user1                           10.0.1.1                        Thu Mar 29 13:04
    user2                           10.0.1.1                        Mon Apr 9 14:34
    

Fixed issues

Version 6.0.0 of the Splunk Add-on for Unix and Linux fixed the following issues:

Date resolved Issue number Description
2018-04-12 ADDON-14093 vmstat script error on AIX
2018-03-30 ADDON-12085 recursive search for bash_histories is expensive
2018-03-27 ADDON-14719 Add-on not Supporting current OS Releases
2018-03-27 ADDON-12862, ADDON-12805 vmstat.sh thows ExecProcessor errors on machines with Infiband interfaces
2018-03-23 ADDON-13986 cpu.sh indexed output is missing core number.

Known issues

If no issues appear here, no issues have yet been reported.

Version 6.0.0 of the Splunk Add-on for Unix and Linux has the following known issues:

Date filed Issue number Description
2019-02-05 ADDON-21209 'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations
2019-01-31 ADDON-21184 service.sh outputs time as a service
2018-04-19 ADDON-17763 Getting error log message into SplunkD for rlog.sh script execution for CentOS 7 and RHEL 7.4

Workaround:
Replace

if [ -n "`service auditd status`" -a "$?" -eq 0 ] ; then{code}

in rlog.sh script with

if [ -n "`service auditd status 2>/dev/null`" -a "$?" -eq 0 ] ; then{code}

2018-03-27 ADDON-17560 Data is not getting indexed for service.sh in Ubuntu 14.04

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 5.2.4

The Splunk Add-on for Unix and Linux was last updated in December 2017.

What's new

See the known issues and fixed issues of these release notes for product updates.

Fixed issues

Version 5.2.4 of the Splunk Add-on for Unix and Linux fixed the following issues:

Date resolved Issue number Description
2017-04-17 ADDON-8472 Logic failure in rlog.sh creates duplicates when the seekpointer file cannot be updated and silently fails
2017-03-28 ADDON-13680 The dest field is not extracted for some events

Known Issues

Version 5.2.4 of the Splunk Add-on for Unix and Linux has the following known issues:

Date filed Issue number Description
2018-08-27 ADDON-19194 Incorrect value in swapUsedPct field in FreeBSD os
2018-04-18 ADDON-17747 package.sh not working in FreeBSD 10 and FreeBSD 11
2018-03-28 ADDON-17571 AWS TA and *nix TA lack spec files for eventgen.conf, which causes cluster bundle validation errors, and breaks Manage Indexes page in clustered Splunk Cloud

Workaround:
Splunk Cloud customers who cannot create indexes on their own due to this bug should file a support case when they need new indexes created.
2018-03-20 ADDON-17448 CPU core is not properly indexed with Splunk_TA_nix with FreeBSD11 OS
2018-03-19 ADDON-17431 Eventtype unix_runlevel_change name mismatch in eventtypes.conf and tags.conf
2017-05-09 ADDON-14719 Add-on not Supporting current OS Releases
2017-05-05 ADDON-14708 Upgrade Splunk Add-on for Unix to support RHEL 7.3
2017-03-13 ADDON-14093 vmstat script error on AIX
2017-03-06 ADDON-13986 cpu.sh indexed output is missing core number.

Workaround:
Edit contents of cpu.sh script as follows:

#Need to change to always be 24Hour time with export LC_TIME=POSIX export LC_TIME='POSIX' FORMAT='{cpu=$2; pctUser=$3; pctNice=$4; pctSystem=$5; pctIowait=$6; pctSteal=$7; pctIdle=$NF}'

2016-11-10 ADDON-12085 recursive search for bash_histories is expensive

Version 5.2.3

The Splunk Add-on for Unix and Linux was last updated on April 5, 2016.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

Publication date Defect number Description
2016-4-5 TAG-11060 The add-on has been updated to provide better support for Key Performance Indicators (KPIs) for the Splunk IT Service Intelligence OS Module.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

Publication date Defect number Description
2016-2-29 TAG-10164 On some versions of Linux (for example, RedHat), the rlog.sh scripted input improperly calls for the status of the auditd service, which forces the OS to redirect the call to the right service and generates an error in splunkd.log.
2015-12-15 TAG-4275 The scripts that come with the add-on rely on system utilities to run properly. If those utilities are not present, the scripts exit silently.

Change Log (what's been fixed)

Publication date Defect number Description
2016-4-5 TAG-11059 The add-on has been updated to provide better support for Key Performance Indicators (KPIs) for the Splunk IT Service Intelligence OS Module.

Version 5.2.2

The Splunk Add-on for Unix and Linux was last updated on February 29, 2016.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

Publication date Defect number Description
2016-2-29 N/A Bug fixes.
2016-2-29 TAG-10606 Event type definitions in the add-on have been updated to improve performance.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

Publication date Defect number Description
2016-2-29 TAG-10164 On some versions of Linux (for example, RedHat), the rlog.sh scripted input improperly calls for the status of the auditd service, which forces the OS to redirect the call to the right service and generates an error in splunkd.log.
2015-12-15 TAG-4275 The scripts that come with the add-on rely on system utilities to run properly. If those utilities are not present, the scripts exit silently.

Change Log (what's been fixed)

Publication date Defect number Description
2016-2-29 TAG-10606 Event type definitions in the add-on have been updated to improve performance.
2016-2-29 TAG-10537 The add-on now determines the correct operating system version numbers on hosts that run AIX and Solaris.
2016-2-29 TAG-10474 A typo in a field transformation that referenced an invalid FORMAT argument has been fixed.
2016-2-29 TAG-9922 The add-on has been updated to not expose file and scripted input configuration controls on Splunk Cloud installations.

Version 5.2.1

The Splunk Add-on for Unix and Linux was last updated on December 15, 2015.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

Publication date Defect number Description
2015-12-15 N/A Bug fixes.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

Publication date Defect number Description
2015-12-15 TAG-4275 On hosts that run AIX, the vmstat.sh script does not produce output.


Change Log (what's been fixed)

Publication date Defect number Description
2015-12-15 TAG-10147 A problem with vmstat.sh where space-delimited and tab-delimited entries were intermingled was fixed.
2015-12-15 TAG-10213 The add-on has been updated to move some of the data it collects into a data model. This is for use with the OS Module for Splunk IT Service Intelligence.
2015-12-15 TAG-4211 A problem where the rlog.sh and [monitor://var/log] stanzas within the add-on collected audit.log twice (in different ways) was fixed.

Version 5.2.0

The Splunk Add-on for Unix and Linux was last updated on September 18, 2015.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

Publication date Defect number Description
2015-9-18 N/A Bug fixes.
2015-9-18 N/A The app has been updated to be compatible with Splunk Enterprise version 6.3.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

Publication date Defect number Description
2015-10-13 TAG-4211 The rlog.sh scripted input and [monitor:///var/log] input stanza both collect audit.log, although in slightly different formats. This might result in duplicate data collection. To work around this problem, add a blacklist to the [monitor:///var/log] stanza:


[monitor:///var/log]
whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out)
blacklist=(audit.log|lastlog|anaconda\.syslog)
index=os
disabled = 1


Change Log (what's been fixed)

Publication date Defect number Description
2015-9-18 TAG-9589 The add-on no longer breaks search-time extractions for syslog on upgrade.
2015-9-18 TAG-9482 The add-on no longer reports incorrect CPU usage when installed on a Solaris 10 host.
2015-9-18 TAG-9353 The storage, storage_used, and storage_free fields now display data in megabytes instead of bytes.
2015-9-18 TAG-9312 The rlog.sh scripted input now reads the first line of the audit.log file. This fixes a problem where events in Splunk Enterprise did not reflect all contents of the file.
2015-9-18 TAG-9220 The package.sh scripted input now populates the RELEASE field on Debian Linux systems.
2015-9-18 TAG-3913 The regular expression that defines line breaking patterns for the add-on no longer generates spurious errors in the line-breaking processor.

Version 5.1.2

The Splunk Add-on for Unix and Linux was last updated on April 1, 2015.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

  • Bug fixes.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

  • The values for total, used, and free memory that the vmstat.sh script displays differ from the values that the native vmstat command displays. This is because vmstat.sh counts swap cache memory and buffer memory as part of the total free memory available, and subtracts this from total memory to get used memory. This is by design. (TAG-4014, TAG-9010)
  • The vmstat scripted input does not work on AIX. (TAG-4518)
  • On Linux systems, the cpu.sh script does not display the %steal CPU counter. (TAG-4114)
  • Due to how Mac OS X configures OpenSSL, any Splunk Add-on for Unix and Linux scripts that use a hash (such as openPortsEnhanced.sh, passwd.sh, and sshdChecker.sh) do not work by default. To work around the problem, set the DYLD_LIBRARY_PATH variable as follows:
export SPLUNK_HOME=<location of Splunk installation>
export DYLD_LIBRARY_PATH=$SPLUNK_HOME/lib

(NIX-649, SPL-78856)

  • Using the latest version of Sideview Utils with the add-on causes a problem where dashboards do not populate despite the availability of data. To work around the problem, use version 1.3.5 or earlier of Sideview Utils. (NIX-646)
  • When you install the app and point it at the indexes which contain your *nix data, it might take up to 15 seconds for that data to begin showing up in the app. This is due to lookup generation. (NIX-467)
  • The colors in the Metrics Viewer graphs do not update correctly if you transpose sliders in the Metrics Viewer's threshold bar. (NIX-428)
  • When in node view, the Hosts dashboard sometimes shows inconsistent colors with respect to the detailed view colors. (NIX-353, NIX-409)
  • When you use Firefox to access the Splunk App for Unix and Linux, the radial graphs in the Home dashboard sometimes do not display correctly. The slices within the graphs sometimes spill out of their containers. To work around the problem, refresh the page. (NIX-370, NIX-413)
  • On HP/UX systems, there is no way to obtain the number of threads on a system. This means that the vmstat scripted inputs will always return "?" for threads columns on HP/UX.
  • On Solaris systems, the hardware.sh scripted input sometimes returns empty values for some entries. (NIX-42)
  • If you clone an existing alert saved search, you cannot edit the search using the "Settings: Alerts" configuration page. (NIX-537)
  • You cannot create custom alerts using Splunk Web; you must do so with configuration files. (NIX-536)
  • If you remove the default group, you sometimes receive an error "Unknown search command: 'all'" when you load the Home page. (NIX-560)
  • In the Hosts page, if you do not wait for all data on a host information card to load before pinning that card, when you select another host, the original host information card does not remain pinned. (NIX-320)
  • The app's scripted inputs do not work when the directory that they are hosted in contains spaces. This is particularly an issue with Mac OS X. (NIX-570)
  • The full-screen NOC screen legends do not display correctly in Chrome. (NIX-584)
  • You are not able to drill down into a specific host on the Hosts dashboard. (NIX-587)

Change Log (what's been fixed)

  • Copyright information for the add-on has been updated and corrected. (TAG-9244)
  • The add-on no longer incorrectly displays in the Splunk Light Dashboards page. (TAG-9182)
  • The su_authentication event type within the add-on now has better su command event-matching logic. (TAG-8938)
  • The uptime.sh script in the add-on now handles ps output properly on HP-UX machines. (TAG-4204)
  • An unnecessary transform for WMI installed apps has been removed. (TAG-4191)
  • The top.sh script now accounts for the fact that, starting with Mac OS X version 10.9 Mavericks and later, there is no rshrd (resident shared address space size) statistic for the top command. On Mac OSX 10.9 Mavericks and later, the script now outputs "?" for that statistic, instead of generating an error. (TAG-4077)
  • The add-on no longer attempts to automatically learn new source types when you tell it to monitor large directories. (TAG-3986)

Version 5.1.1

The Splunk Add-on for Unix and Linux was last updated on February 13, 2015.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

  • Bug fixes.
  • Feature additions to better work with Splunk Light (TAG-3983, TAG-8913).

Current known issues

The Splunk App for Unix and Linux has the following known issues:

  • The values for total, used, and free memory that the vmstat.sh script displays differ from the values displayed by the native vmstat command. This is because vmstat.sh counts swap cache memory and buffer memory as part of the total free memory available, and subtracts this from total memory to get used memory. This is by design. (TAG-4014, TAG-9010)
  • On Linux systems, the cpu.sh script does not display the %steal CPU counter. (TAG-4114)
  • Due to how Mac OS X configures OpenSSL, any Splunk Add-on for Unix and Linux scripts that use a hash (such as openPortsEnhanced.sh, passwd.sh, and sshdChecker.sh) do not work by default. To work around the problem, set the DYLD_LIBRARY_PATH variable as follows:
export SPLUNK_HOME=<location of Splunk installation>
export DYLD_LIBRARY_PATH=$SPLUNK_HOME/lib

(NIX-649, SPL-78856)

  • Using the latest version of Sideview Utils with the add-on causes a problem where dashboards do not populate despite the availability of data. To work around the problem, use version 1.3.5 or earlier of Sideview Utils. (NIX-646)
  • When you install the app and point it at the indexes which contain your *nix data, it might take up to 15 seconds for that data to begin showing up in the app. This is due to lookup generation. (NIX-467)
  • The colors in the Metrics Viewer graphs do not update correctly if you transpose sliders in the Metrics Viewer's threshold bar. (NIX-428)
  • When in node view, the Hosts dashboard sometimes shows inconsistent colors with respect to the detailed view colors. (NIX-353, NIX-409)
  • When you use Firefox to access the Splunk App for Unix and Linux, the radial graphs in the Home dashboard sometimes do not display correctly. The slices within the graphs sometimes spill out of their containers. To work around the problem, refresh the page. (NIX-370, NIX-413)
  • On HP/UX systems, there is no way to obtain the number of threads on a system. This means that the vmstat scripted inputs will always return "?" for threads columns on HP/UX.
  • On Solaris systems, the hardware.sh scripted input sometimes returns empty values for some entries. (NIX-42)
  • If you clone an existing alert saved search, you cannot edit the search using the "Settings: Alerts" configuration page. (NIX-537)
  • You cannot create custom alerts using Splunk Web; you must do so with configuration files. (NIX-536)
  • If you remove the default group, you sometimes receive an error "Unknown search command: 'all'" when you load the Home page. (NIX-560)
  • In the Hosts page, if you do not wait for all data on a host information card to load before pinning that card, when you select another host, the original host information card does not remain pinned. (NIX-320)
  • The app's scripted inputs do not work when the directory that they are hosted in contains spaces. This is particularly an issue with Mac OS X. (NIX-570)
  • The full-screen NOC screen legends do not display correctly in Chrome. (NIX-584)
  • You are not able to drill down into a specific host on the Hosts dashboard. (NIX-587)

Change Log (what's been fixed)

  • A cosmetic issue with the "Reset" button on the add-on configuration page has been fixed. (TAG-3976)
  • The documentation links in the add-on now go to valid places. (TAG-4421)

Version 5.1.0

The Splunk Add-on for Unix and Linux was last updated on October 6, 2014.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

  • Bug fixes.
  • Feature additions to better work with the Splunk App for Enterprise Security.
  • The add-on now contains some knowledge layer improvements. (NIX-638)
  • The add-on now normalizes timestamps to work with the Change_Analysis data model. (NIX-668)
  • The add-on now has higher-resolution icons. (NIX-660)

Current known issues

The Splunk App for Unix and Linux has the following known issues:

  • The values for total, used, and free memory that the vmstat.sh script displays differ from the values displayed by the native vmstat command. This is because vmstat.sh counts swap cache memory and buffer memory as part of the total free memory available, and subtracts this from total memory to get used memory. This is by design. (TAG-4014, TAG-9010)
  • Due to how Mac OS X configures OpenSSL, any Splunk Add-on for Unix and Linux scripts that use a hash (such as openPortsEnhanced.sh, passwd.sh, and sshdChecker.sh) do not work by default. To work around the problem, set the DYLD_LIBRARY_PATH variable as follows:
export SPLUNK_HOME=<location of Splunk installation>
export DYLD_LIBRARY_PATH=$SPLUNK_HOME/lib

(NIX-649, SPL-78856)

  • Using the latest version of Sideview Utils with the add-on causes a problem where dashboards do not populate despite the availability of data. To work around the problem, use version 1.3.5 or earlier of Sideview Utils. (NIX-646)
  • When you install the app and point it at the indexes which contain your *nix data, it might take up to 15 seconds for that data to begin showing up in the app. This is due to lookup generation. (NIX-467)
  • The colors in the Metrics Viewer graphs do not update correctly if you transpose sliders in the Metrics Viewer's threshold bar. (NIX-428)
  • When in node view, the Hosts dashboard sometimes shows inconsistent colors with respect to the detailed view colors. (NIX-353, NIX-409)
  • When you use Firefox to access the Splunk App for Unix and Linux, the radial graphs in the Home dashboard sometimes do not display correctly. The slices within the graphs sometimes spill out of their containers. To work around the problem, refresh the page. (NIX-370, NIX-413)
  • On HP/UX systems, there is no way to obtain the number of threads on a system. This means that the vmstat scripted inputs will always return "?" for threads columns on HP/UX.
  • On Solaris systems, the hardware.sh scripted input sometimes returns empty values for some entries. (NIX-42)
  • If you clone an existing alert saved search, you cannot edit the search using the "Settings: Alerts" configuration page. (NIX-537)
  • You cannot create custom alerts using Splunk Web; you must do so with configuration files. (NIX-536)
  • If you remove the default group, you sometimes receive an error "Unknown search command: 'all'" when you load the Home page. (NIX-560)
  • In the Hosts page, if you do not wait for all data on a host information card to load before pinning that card, when you select another host, the original host information card does not remain pinned. (NIX-320)
  • The app's scripted inputs do not work when the directory that they are hosted in contains spaces. This is particularly an issue with Mac OS X. (NIX-570)
  • The full-screen NOC screen legends do not display correctly in Chrome. (NIX-584)
  • You are not able to drill down into a specific host on the Hosts dashboard. (NIX-587)

Change Log (what's been fixed)

  • A problem with the first-time run experience where a file rename would cause the experience to repeat continuously was fixed. (NIX-664)
  • A search macro definition for network monitoring that conflicted with a similar definition in the Splunk Add-on for Windows was corrected. (NIX-663)
  • Values defined within stanzas in some configuration files now have proper URI encodings. (NIX-656)
  • The vmstat.sh script now properly returns results on systems with more than one mass storage device. (NIX-648)
  • A problem where event type searches generated false positives because they include the summary index has been fixed. (NIX-644)
  • The Splunk Supporting App for Unix and Linux (SA-Nix) no longer overwrites the action field. (NIX-641)
  • A search-time field extraction that referenced the syslog source type has been removed. (NIX-634)
  • A typo in the version.sh script has been corrected. (NIX-630)
  • The setup.sh script now properly accepts the --auth argument. This enables users to use the script to log into their Splunk Enterprise instance while setting up the Splunk App for Unix and Linux from the command line. (NIX-624)
  • A customer-submitted patch to interfaces.sh improves how that script gathers network interface error statistics. (NIX-623)
PREVIOUS
Release notes for the Splunk Add-on for Unix and Linux
  NEXT
Hardware and software requirements for the Splunk Add-on for Unix and Linux

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters