Splunk® Supported Add-ons

Splunk Add-on for Unix and Linux

Download manual as PDF

Download topic as PDF

Troubleshoot the Splunk Add-on for Unix and Linux

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Missing data from scripts

If data is missing from the script output, you can run the scripts in debug mode and use the additional information to look for the cause of the missing data.

  1. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin.
  2. Run sh <script_name> --debug to run the script in debug mode.
  3. The debug output is saved in debug--<script_name>--<date_and_time_of_execution>. This file contains the command that was executed, and its output or the failure reason. Use this information to resolve the missing data issue.

Unexpected values for cpu_load_percent and cpu_user_percent fields

The Splunk Add-on for Unix and Linux version 6.0.1 enhanced field extraction for the sourcetype cpu by extracting cpu_user_percent and cpu_load_percent fields for specific core numbers as well as for all instances. To query across all, which is what previous versions of the add-on do, use cpu=all. To query for a specific core number, include the number in your query, such as cpu=1.

Multiple events in package source type

In the packagesourcetype of the Splunk Add-on for Unix and Linux version 6.0.1, all installed software packages are listed in one event, and there are no field extractions. In version 6.0.2 of the Splunk Add-on for Unix and Linux, events are divided into separate events per software package, and fields are extracted automatically for each event. This also applies to existing events.

Make CPU core statistics info in FreeBSD OS similar to other supported OS configurations

In version 6.0.1 of the Splunk Add-on for Unix and Linux 6.0.1, the cpu sourcetype for FreeBSD OS has CPU statistics for all cores as a single event, whereas for other OS configurations, there are separate events for separate cores as well as single event for all cores. In version 6.0.2 of the Splunk Add-on for Unix and Linux, cpu.sh script output data for FreeBSD OS is consistent with other OS configurations.

Not getting data from nfsiostat scripts

See Missing data from scripts to check the script behavior in debug mode.

If the output of script file in debug mode is "Not found command nfsiostat on this host," then install the nfsutils package. If data is not indexed after installing this package, then check the script in debug mode again. If the output is "No NFS mount points were found," then the NFS file system is missing. You need to set up NFS mount to get this data into your Splunk platform deployment.

PREVIOUS
Enable data and scripted inputs for the Splunk Add-on for Unix and Linux
  NEXT
Lookups for the Splunk Add-on for Unix and Linux

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters