Troubleshoot the Splunk Add-on for Unix and Linux
Events not getting tagged to the desired event type after upgrading to version 8.8.0
Errors seen in splunkd for rlog.sh script
Error parsing start date (MM/DD/YYYY)
Locales other than
en_US.UTF-8 are currently not supported by
ausearch command which is being used in rlog.sh.
If you are using locales other than
en_US.UTF-8 you will have to use the locale as
en_US.UTF-8 or its equivalent depending on your country.
Errors seen in output of Update.sh script
2021-12-23 06:50:15,873 [ERROR] yum:13717:MainThread @logutil.py:194 - [Errno 13] Permission denied: '/var/log/rhsm/rhsm.log' - Further logging output will be written to stderr
2021-12-23 06:50:15,875 [ERROR] yum:13717:MainThread @identity.py:156 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 13] Permission denied: '/etc/pki/consumer/key.pem'
If you see errors similar or same as above errors, then provide the necessary permissions for the user running splunkd to read those files.
sshdChecker.sh and vsftpdChecker.sh scripted inputs giving some file permission errors
If you see file permission errors for the files 'sshd_config' (for sshdChecker.sh) and 'vsftpd.conf' (for vsftpdChecker.sh), then please provide the necessary permissions for the user running splunkd to read those files.
Missing data from scripts
If data is missing from the script output, you can run the scripts in debug mode and use the additional information to look for the cause of the missing data.
- Navigate to
sh <script_name> --debugto run the script in debug mode.
- The debug output is saved in
debug--<script_name>--<date_and_time_of_execution>. This file contains the command that was executed, and its output or the failure reason. Use this information to resolve the missing data issue.
Unexpected values for
The Splunk Add-on for Unix and Linux version 6.0.1 enhanced field extraction for the sourcetype
cpu by extracting
cpu_load_percent fields for specific core numbers as well as for all instances. To query across all, which is what previous versions of the add-on do, use
cpu=all. To query for a specific core number, include the number in your query, such as
Multiple events in package source type
packagesourcetype of the Splunk Add-on for Unix and Linux version 6.0.1, all installed software packages are listed in one event, and there are no field extractions. In version 6.0.2 of the Splunk Add-on for Unix and Linux, events are divided into separate events per software package, and fields are extracted automatically for each event. This also applies to existing events.
Make CPU core statistics info in FreeBSD OS similar to other supported OS configurations
In version 6.0.1 of the Splunk Add-on for Unix and Linux 6.0.1, the
cpu sourcetype for FreeBSD OS has CPU statistics for all cores as a single event, whereas for other OS configurations, there are separate events for separate cores as well as single event for all cores. In version 6.0.2 of the Splunk Add-on for Unix and Linux,
cpu.sh script output data for FreeBSD OS is consistent with other OS configurations.
Not getting data from
See Missing data from scripts to check the script behavior in debug mode.
If the output of script file in debug mode is "Not found command
nfsiostat on this host," then install the
nfsutils package. If data is not indexed after installing this package, then check the script in debug mode again. If the output is "No NFS mount points were found," then the NFS file system is missing. You need to set up NFS mount to get this data into your Splunk platform deployment.
COMMAND field is truncated in the data collected from ps.sh scripted input
If your environment contains any commands longer than 100 characters, perform the following steps to extend your deployment's maximum command length:
- Navigate to
- Open a CLI and enter
- Navigate to to line 21, and change
%-100.100sto a command length that fits your environment. For example,
- Save your changes.
LC_CTYPE error for rlog.sh input
If you receive the error
"locale: Cannot set LC_ALL to default locale: No such file or directory, verify the following:
If you are connecting to a Linux or Unix machine using a Mac OS Terminal, verify that the
locale set is the same for both operating system (OS) platforms.
- If the
localesets do not match, sync them, using the commands specific to your OS platform.
- As a best practice, keep
LANG="en_US.UTF-8". Alternate values are supported, as long as the values are the same for your remote machine and the machine from which you are logging in.
Scripted input not working due to insufficient permissions
Verify that you have execute rights for the
bin folder. The scripts will display permission denied in the
splunkd.log if you don't. Splunk must be installed and executed as root user for this Add-on to work properly.
Enable data and scripted inputs for the Splunk Add-on for Unix and Linux
Lookups for the Splunk Add-on for Unix and Linux
This documentation applies to the following versions of Splunk® Supported Add-ons: released