Robust implementation of scripts for Splunk Add-on for Unix and Linux
Version 8.9.0
As part of version 8.9.0 of the Splunk Add-on for Unix and Linux, we updated the implementation of cpu scripts to make it more robust and to work more efficiently for the AIX operating system.
Changes made as part of cpu scripts
The tables below show field names extracted for cpu scripts. It lists the normalized field names which the cpu scripts previously output before version 8.9.0 and also displays the new 'raw' field names output starting with version 8.9.0. We've also maintained a backward compatibility of the older fields along with adding the new fields from the raw output.
Table for cpu scripts
| cpu.sh | |
|---|---|
| Fields in old script's output | Equivalent fields in new script's output for AIX OS |
| CPU | cpu |
| pctUser | us |
| pctSystem | sy |
| pctIowait | wa |
| pctIdle | id |
| cpu_metric.sh | |
|---|---|
| Fields in old script's output | Equivalent fields in new script's output for AIX OS |
| metric_name:cpu_metric.pctUser | metric_name:cpu_metric.us |
| metric_name:cpu_metric.pctSystem | metric_name:cpu_metric.sy |
| metric_name:cpu_metric.pctIowait | metric_name:cpu_metric.wa |
| metric_name:cpu_metric.pctIdle | metric_name:cpu_metric.id |
Version 8.7.0
As part of version 8.7.0 of the Splunk Add-on for Unix and Linux, we updated the implementation of ps, interfaces and df scripts to make them more robust and to work more efficiently across all supported operating systems.
Changes made as part of ps and df scripts
The tables below show field names extracted for ps and df scripts. It lists the normalized field names which the ps and df scripts previously output before version 8.7.0 and also displays the new 'raw' field names output starting with version 8.7.0. We've also maintained a backward compatibility of the older fields along with adding the new fields from the raw output.
Tables for ps scripts
| ps.sh | ||||
|---|---|---|---|---|
| Fields in old script's output | Equivalent fields in new script's output for Linux Kernel OSs | Equivalent fields in new script's output for (Darwin & FreeBSD) Kernel OSs | Equivalent fields in new script's output for Solaris Kernel OSs | Equivalent fields in new script's output for AIX Kernel OSs |
| CPUTIME | TIME | TIME | TIME | TIME |
| RSZ_KB | RSS | RSS | RSS | RSS |
| S | STAT | STAT | S | S |
| TTY | TTY | TT | TTY | TT |
| VSZ_KB | VSZ | VSZ | VSZ | VSZ |
| pctCPU | CPU | CPU | CPU | CPU |
| pctMEM | MEM | MEM | MEM | MEM |
| ps_metric.sh | |
|---|---|
| Fields in Old script's output | Equivalent fields in new script's output for all supported Kernals |
| metric_name:ps_metric.RSZ_KB | metric_name:ps_metric.RSS |
| metric_name:ps_metric.VSZ_KB | metric_name:ps_metric.VSZ |
| metric_name:ps_metric.pctCPU | metric_name:ps_metric.CPU |
| metric_name:ps_metric.pctMEM | metric_name:ps_metric.MEM |
: For ps and ps_metric scripts, ELAPSED and PSR were removed from kernel outputs except for AIX and SunOS as part of v8.7.0.
For the USER field in ps scripts, the add-on previously removed the preceding underscore (if any) from the value and then ingested the field. From v8.7.0 onwards, the add-on will be ingesting the value of the field as it is. If this field is used by any of your applications or use cases, Splunk best practice is to update them accordingly.
Tables for df scripts
| df.sh | ||||
|---|---|---|---|---|
| Fields in old script's output | Equivalent fields in new script's output for Linux Kernel OSs | Equivalent fields in new script's output for (Darwin & FreeBSD) Kernel OSs | Equivalent fields in new script's output for Solaris Kernel OSs | Equivalent fields in new script's output for AIX Kernel OSs |
| Size | Size | Size | Size | 1024-blocks |
| Avail | Avail | Avail | Available | Available |
| UsePct | Use_ | Capacity | Capacity | Capacity |
| INodes | Inodes | INodes | INodes | INodes |
| IUsed | IUsed | iused | IUsed | Iused |
| IFree | IFree | ifree | IFree | Ifree |
| IUsePct | IUse_ | IUsePct | IUsePct | IUsePct |
| df_metric.sh | |||||
|---|---|---|---|---|---|
| Fields in Old script's output | Equivalent fields in new script's output for Linux Kernel OSs | Equivalent fields in new script's output for (Darwin) Kernel OSs | Equivalent fields in new script's output for (FreeBSD) Kernel OSs | Equivalent fields in new script's output for Solaris Kernel OSs | Equivalent fields in new script's output for AIX Kernel OSs |
| metric_name:df_metric:Size | metric_name:df_metric:1K-blocks | metric_name:df_metric:1024-blocks | metric_name:df_metric:1024-blocks | metric_name:df_metric:Size | metric_name:df_metric:1024-blocks |
| metric_name:df_metric:Avail | metric_name:df_metric:Avail | metric_name:df_metric:Availble | metric_name:df_metric:Avail | metric_name:df_metric:Avail | metric_name:df_metric:Available |
| metric_name:df_metric:UsePct | metric_name:df_metric:Use | metric_name:df_metric:Capacity | metric_name:df_metric:Capacity | metric_name:df_metric:UsePct | metric_name:df_metric:Capacity |
| metric_name:df_metric:INodes | metric_name:df_metric:Inodes | metric_name:df_metric:INodes | metric_name:df_metric:INodes | metric_name:df_metric:INodes | metric_name:df_metric:INodes |
| metric_name:df_metric:IUsed | metric_name:df_metric:IUsed | metric_name:df_metric:iused | metric_name:df_metric:iused | metric_name:df_metric:IUsed | metric_name:df_metric:Iused |
| metric_name:df_metric:IFree | metric_name:df_metric:IFree | metric_name:df_metric:ifree | metric_name:df_metric:ifree | metric_name:df_metric:IFree | metric_name:df_metric:Ifree |
| metric_name:df_metric:IUsePct | metric_name:df_metric:IUse | metric_name:df_metric:IUsePct | metric_name:df_metric:IUsePct | metric_name:df_metric:IUsePct | metric_name:df_metric:IUsePct |
| metric_name:df_metric:Used | metric_name:df_metric:Used | metric_name:df_metric:Used | metric_name:df_metric:Used | metric_name:df_metric:Used | metric_name:df_metric:Used |
| metric_name:df_metric:Size_KB | metric_name:df_metric:1K-blocks | metric_name:df_metric:1024-blocks | metric_name:df_metric:1024-blocks | metric_name:df_metric:Size | metric_name:df_metric:1024-blocks |
| metric_name:df_metric:Avail_KB | metric_name:df_metric:Avail | metric_name:df_metric:Available | metric_name:df_metric:Available | metric_name:df_metric:Avail | metric_name:df_metric:Available |
Changes made as part of interfaces scripts
We have made the interfaces scripts less error prone in case the output of the raw command changes. No new fields were added for interfaces scripts as part of v8.7.0
Version 8.6.0
As part of version 8.6.0 of the Splunk Add-on for Unix and Linux, we updated the implementation of iostat scripts to make them more robust and to work more efficiently across all supported operating systems.
The most significant change is in regards to field extractions; Splunk best practice is now to extract data into both the raw field names output by the iostat command as well as the normalized field names that the add-on previously used. This enables you to build Splunk content (searches, reports, dashboards, etc) and leverage all the data points produced by the iostat command.
The table below shows an example of field names extracted on Ubuntu OS. It lists the normalized field names which the iostat script previously displayed before version 8.6.0 and also displays the new 'raw' field names output starting with version 8.6.0. Splunk maintains backward compatibility of existing content as older fields are extracted, but Splunk best practice is to update content to use the new field names.
| Old field extraction names | New field extraction names |
|---|---|
| rReq_PS | r_s |
| rKB_PS | rkB_s |
| rrqmPct | rrqm |
| rAvgReqSZkb | rareq_sz |
| rAvgWaitMillis | r_await |
| wReq_PS | w/s |
| wKB_PS | wKB_s |
| wrqmPct | wrqm |
| wAvgWaitMilli | w_await |
| wAvgReqSZkb | wareq_sz |
| avgQueueSZ | aqu_sz |
| bandwUtilPct | util |
| avgSvcMillis | svctm |
| avgWaitMillis | await |
| Scripted input reference for the Splunk Add-on for Unix and Linux |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Download manual
Feedback submitted, thanks!