Splunk® Supported Add-ons

Splunk Add-on for Unix and Linux

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Troubleshoot the Splunk Add-on for Unix and Linux

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Missing data from scripts

If data is missing from the script output, you can run the scripts in debug mode and use the additional information to look for the cause of the missing data.

  1. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin.
  2. Run sh <script_name> --debug to run the script in debug mode.
  3. The debug output is saved in debug--<script_name>--<date_and_time_of_execution>. This file contains the command that was executed, and its output or the failure reason. Use this information to resolve the missing data issue.

Unexpected values for cpu_load_percent and cpu_user_percent fields

The Splunk Add-on for Unix and Linux version 6.0.1 enhanced field extraction for the sourcetype cpu by extracting cpu_user_percent and cpu_load_percent fields for specific core numbers as well as for all instances. To query across all, which is what previous versions of the add-on do, use cpu=all. To query for a specific core number, include the number in your query, such as cpu=1.

Multiple events in package source type

In the packagesourcetype of the Splunk Add-on for Unix and Linux version 6.0.1, all installed software packages are listed in one event, and there are no field extractions. In version 6.0.2 of the Splunk Add-on for Unix and Linux, events are divided into separate events per software package, and fields are extracted automatically for each event. This also applies to existing events.

Make CPU core statistics info in FreeBSD OS similar to other supported OS configurations

In version 6.0.1 of the Splunk Add-on for Unix and Linux 6.0.1, the cpu sourcetype for FreeBSD OS has CPU statistics for all cores as a single event, whereas for other OS configurations, there are separate events for separate cores as well as single event for all cores. In version 6.0.2 of the Splunk Add-on for Unix and Linux, cpu.sh script output data for FreeBSD OS is consistent with other OS configurations.

Not getting data from nfsiostat scripts

See Missing data from scripts to check the script behavior in debug mode.

If the output of script file in debug mode is "Not found command nfsiostat on this host," then install the nfsutils package. If data is not indexed after installing this package, then check the script in debug mode again. If the output is "No NFS mount points were found," then the NFS file system is missing. You need to set up NFS mount to get this data into your Splunk platform deployment.

COMMAND field is truncated in the data collected from ps.sh scripted input

If your environment contains any commands longer than 100 characters, perform the following steps to extend your deployment's maximum command length:

  1. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin.
  2. Open a CLI and enter vi ps.sh
  3. Navigate to to line 21, and change %-100.100s to a command length that fits your environment. For example, %-200.200s.
  4. Save your changes.

LC_CTYPE error for rlog.sh input

If you receive the error "locale: Cannot set LC_ALL to default locale: No such file or directory, verify the following:

If you are connecting to a Linux or Unix machine using a Mac OS Terminal, verify that the locale set is the same for both operating system (OS) platforms.

  • If the locale sets do not match, sync them, using the commands specific to your OS platform.
  • As a best practice, keep LANG="en_US.UTF-8". Alternate values are supported, as long as the values are the same for your remote machine and the machine from which you are logging in.

Scripted input not working due to insufficient permissions

Verify that you have execute rights for the bin folder. The scripts will display permission denied in the splunkd.log if you don't. Splunk must be installed and executed as root user for this Add-on to work properly.

Last modified on 09 December, 2021
Enable data and scripted inputs for the Splunk Add-on for Unix and Linux
Lookups for the Splunk Add-on for Unix and Linux

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters