Splunk® Content Packs for ITSI and IT Essentials Work

Splunk Content Packs for ITSI and IT Essentials Work

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Troubleshoot the Content Pack for Unix Dashboards and Reports

You can troubleshoot your Content Pack for Unix Dashboards and Reports deployment if you are experiencing errors or if you aren't seeing the data that you expect.

The content pack isn't working as expected

Problem

Some examples of the content pack not working as expected are: an alert modal not working properly, configurations not reflected, etc.

Cause

The Content Pack for Unix Dashboards and Reports uses the configurations and the knowledge object definitions from the Splunk App for Unix and Linux if not disabled and will result in a knowledge object conflict.

Solution

Check if the Splunk App for Unix and Linux is enabled on the same instance and disable it.

Alert Model or Open in Search features aren't working in the cloud environment

Problem

The Alert Model and Open in Search features aren't working on the Alerts - Unix dashboard.

Solution

Add a schedule_as=classic setting to each of these alerts following the steps for your deployment type.

  • Memory_Exceeds_MB_by_Process
  • Memory_Exceeds_Percent_by_Host
  • Memory_Exceeds_MB_by_Host
  • CPU_Exceeds_Percent_by_Host
  • CPU_Under_Percent_by_Host
  • Load_Exceeds_by_Host
  • Threads_Exceeds_by_Host
  • Processes_Exceeds_by_Host
  • Disk_Used_Exceeds_Percent_by_Host
  • Open_Files_Exceeds_by_Process
  • IO_Wait_Exceeds_Threshold
  • IO_Utilization_Exceeds_Threshold

Search head cluster deployments

  1. Create a new file named savedsearches.conf.
  2. Save the file in the $SPLUNK_HOME/splunk/etc/shcluster/apps/DA-ITSI-CP-unix-dashboards/local directory on the deployer.
  3. Add a schedule_as=classic setting in each alert.
    [Memory_Exceeds_MB_by_Process]
    schedule_as=classic
  4. Push the updated app bundle from the deployer. The deployer restarts all the search head cluster members after the update is applied. If the deployer doesn't restart the search head cluster members, perform a rolling restart.

Dedicated search head deployments

  1. Create a new file named savedsearches.conf.
  2. Save the file in the $SPLUNK_HOME/splunk/etc/apps/DA-ITSI-CP-unix-dashboards/local directory on the search head.
  3. Add a schedule_as=classic setting in each alert.
    [Memory_Exceeds_MB_by_Process]
    schedule_as=classic
  4. Restart the Splunk instance.

The bubble color differs from the actual value

The bubble in the chart shows the value of the selected parameter from the menus. The color bar sets the color of the bubble, and the color bar shows a value between 1 to 100. If the bubble value is greater than 100, then the value is log-scaled to keep the number under 100.


The Categories tab in the Settings dashboard is stuck loading

Problem

The Categories tab in the Settings dashboard is stuck loading when opened for the first time.

Cause

The Categories tab uses the dropdown.csv file to display the default category. This dropdown.csv is created by the saved search at runtime after you install the content pack. If there is a high number of scheduled saved searches on the search head, the saved search for creating the dropdown.csv is not run.

Solution

Perform these steps save the search manually to resolve the issue.

  1. Navigate to Settings > Searches, Reports, and Alerts.
  2. Find and run the saved search dropdowns_lookup_migrate.

CPU information isn't displaying

Problem

CPU information isn't displaying.

Cause

Software dependencies are not installed on the forwarder instance.

Solution

Ensure that all software dependencies are installed on the forwarder instance as described in the requirements for the Splunk Add-on for Unix and Linux. See Hardware and software requirements for the Splunk Add-on for Unix and Linux in the Splunk Add-on for Unix and Linux manual.

Split pctCPU

Problem

The value of pctCPU calculates across all CPUs not individual cores.

Cause

pctCPU is designed to calculate across all CPUs.

Solution

Use a search like the following example search to split pctCPU into smaller units:

Search Description
tag=cpu | stats avg(pctUser) average cpu.user over all CPUs
tag=cpu | stats avg(pctUser) by CPU average cpu.user per CPU
tag=cpu CPU=1 | stats avg(pctUser) by CPU average cpu.user of CPU 1

Unable to change colors in the radial graph on the Home dashboard

If you move down the second color picker and cross it with the first color picker, the bottom-most color does not update.

To reflect the changes, refresh the page.

Unable to configure the Alerts and Your Data tab in Settings dashboard

Problem

Unable to configure Alerts and Your Data tab in Settings dashboard.

Cause

Alerts present in the Alerts tab, and the Indexes and Sourcetypes definition in the Your Data tab, are only configurable by the Admin user.

Solution

Ensure that the current user has the admin/sc-admin role.

Could not load lookup=LOOKUP-dropdowns error

Problem

On running searches, you might receive an "Could not load lookup=LOOKUP-dropdowns" error in a search-head cluster environment.

Cause

The Content Pack for Unix Dashboards and Reports has a saved search which runs on startup to create the dropdowns.csv lookup. This lookup might not replicate in all the search heads and will result in this error.

Solution

Manually run the dropdowns_lookup_migrate saved search on the search head.

Last modified on 01 October, 2021
PREVIOUS
Use the Alerts dashboard
  NEXT
Report Reference for the Content Pack for Unix Dashboards and Reports

This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters