Splunk® Add-on for Unix and Linux (Legacy)

Deploy and Use the Splunk Add-on for Unix and Linux

The documentation for the current version of this Add-on has moved. See the current version of the documentation for the Splunk Add-on for Unix and Linux.

About the Splunk Add-on for Unix and Linux

Version 6.0.0
Vendor Products All supported Unix operating systems. See Unix operating systems.
Visible in Splunk Web Yes. This add-on contains views for configuration.

The Splunk Add-on for Unix and Linux collects *nix data from *nix hosts. You can install the Splunk Add-on for Unix and Linux on a forwarder to send data from any number of *nix hosts to a Splunk Enterprise indexer or group of indexers. You can also use the add-on to provide data for other apps, such as Splunk IT Service Intelligence or Splunk Enterprise Security.

The Splunk Add-on for Unix and Linux collects the following data using file inputs:

  • Changes to files in the /etc directory and subdirectories.
  • Changes to files in the /var/log directory and subdirectories.

The add-on collects the following data with scripted inputs:

bandwidth.sh Network statistics via the shell commands dlstat, netstat, and sar
cpu.sh CPU statistics via the shell commands sar, mpstat, and iostat
df.sh Free disk space for each mount point via the shell commands df, mount and fstyp
hardware.sh Hardware information via the shell commands cpuinfo, df, dmesg, ifconfig, ioscan, iostat, ip, lanscan, lsattr, lscfg, lsdev, lsps, lspv, meminfo, mpstat, prtconf, prtdiag, sysctl, system_profiler, swap, swapinfo, and top
interfaces.sh Configured network interfaces via the shell commands dmesg, ethtool, ifconfig, kstat, lanscan, lanadmin, and netstat
iostat.sh Input/output statistics for block devices and partitions via the shell commands darwin_disk_stats, iostat, and sar
lastlog.sh Last login times for system accounts via the shell commands last, lastb, and lastlogin
lsof.sh Process information via the shell command lsof
netstat.sh Network connections, routing tables, and network interface information via the shell command netstat
openPorts.sh Available network ports via the shell command netstat
openPortsEnhanced.sh TCP/UDP ports in a listening state, and information on process, process ID, IP version, etc. via the shell commands lsof, and netstat
package.sh Lists installed software packages via the shell commands dpkg-query, pkginfo, and pkg_info, system_profiler and swlist
passwd.sh Shows username and associated user ID, user group ID, and shell
protocol.sh TCP/UDP transfer statistics via the shell command netstat
ps.sh Status of current running processes via the shell command ps
rlog.sh Audit information recorded in /var/log/audit/audit.log by auditd
selinuxChecker.sh Parses /etc/sysconfig/selinux to check if SELinux is configured
service.sh Running services and associated details via the shell commands chkconfig, dscl, svcs, and systemctl
sshdChecker.sh Parses sshd_config for information local sshd configurations
time.sh System date and time, and NTP server time via the shell commands date and ntpdate
top.sh List of running system processes via the shell commands ps and top
update.sh Available software updates for installed packages via the shell commands softwareupdate and yum
uptime.sh System date and uptime information via the shell command date
usersWithLoginPrivs.sh Shows system username information
version.sh OS version details via the shell command uname
vmstat.sh Process related memory usage information via the shell commands prstat, prtconf, ps, sar, svmon, swap, swapinfo, sysctl, top, uptime, and vmstat
vsftpdChecker.sh Parses vsftpd.conf for information about local VSFTP server configurations
who.sh Information about all users currently logged in via the shell command who

The add-on displays question marks ("?") for blank fields that the scripted inputs return within individual events. This is expected behavior to preserve field spacing, and is not cause for concern.

Download the Splunk Add-on for Unix and Linux from Splunkbase.

For a summary of new features, fixed issues, and known issues, see Release Notes for the Splunk Add-on for Unix and Linux.

For information about installing and configuring the Splunk Add-on for Unix and Linux, see Installation and configuration overview for the Splunk Add-on for Unix and Linux.

See Questions related to Splunk Add-on for Unix and Linux on Splunk Answers.

Last modified on 07 July, 2020
  Source types for the Splunk Add-on for Unix and Linux

This documentation applies to the following versions of Splunk® Add-on for Unix and Linux (Legacy): 6.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters