Splunk® Add-on for Unix and Linux

Deploy and Use the Splunk Add-on for Unix and Linux

Download manual as PDF

The documentation for the current version of this Add-on has moved. See the current version of the documentation for the Splunk Add-on for Unix and Linux.
Download topic as PDF

Release notes for the Splunk Add-on for Unix and Linux

Version 6.0.0 of the Splunk Add-on for Unix and Linux was released on May 25, 2018.

Compatibility

Version 6.0.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.6.X and later
CIM 4.3 and later
Supported OS for data collection All supported Unix operating systems. See Unix operating systems.
Script CentOS RHEL Ubuntu Solaris AIX FreeBSD Mac OS X
6 7 7.4 6.9 14.04 16.04 10 11.3 11.0 7.1 7.2 9 10 11 10.11 10.12
bandwidth.sh Y Y Y Y Y Y Y1 Y2 Y Y Y N3 N3 N3 Y N3
common.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
cpu.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N3
df.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
hardware.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
interfaces.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
iostat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y N4 N4
lastlog.sh Y Y Y Y Y Y Y Y Y N N Y Y Y Y Y
lsof.sh Y Y Y Y Y Y N N N N N N N N Y Y
netstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
openPorts.sh Y5 Y5 Y5 Y5 Y Y Y5 Y5 Y5 Y Y Y Y Y Y Y
openPortsEnhanced.sh Y Y Y Y Y Y Y Y Y N N N N N Y Y
package.sh Y Y Y Y Y Y Y Y Y Y Y Y N6 N6 Y Y
passwd.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
protocol.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
ps.sh Y Y Y Y Y Y Y Y Y Y Y Y7 Y7 Y7 Y Y
rlog.sh Y Y8 Y8 Y Y9 Y N N N N N N N N N N
selinuxChecker.sh Y Y Y Y Y N N N N N N N N N N N
service.sh Y Y Y Y N10 Y Y Y Y N N N N N Y Y
sshdChecker.sh Y Y Y Y Y Y Y Y Y N N N N N N N
time.sh Y11 Y11 Y Y Y Y Y Y Y Y Y11 Y Y Y Y Y
top.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
update.sh Y Y Y Y N N N N N N N N N N Y Y
uptime.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
usersWithoginPrivs.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
version.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
vmstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N
vsfptdChecker.sh N N N N N N N N N N N N N N N N
who.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y

Notes

  1. Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to <n/a> because netstat on Solaris 10 and 11 does not provide this information.
  2. Supported, requires dlstat.
  3. Not supported, sar is not available.
  4. Not supported, /bin/darwin_disk_stats is not available.
  5. Supported, script indexes Header information as an extra event.
  6. Not supported, pkg_info is deprecated.
  7. Supported, COMMAND field value is truncated.
  8. Supported, error log messages are included.
  9. Supported, requires ausearch.
  10. Not supported, chkconfig is not available.
  11. Supported, requires ntpdate.

Upgrade instructions

All users upgrading to the Splunk Add-on for Unix and Linux version 6.0.0 must follow the prerequisite upgrade steps before performing the installation, see Upgrade the Splunk Add-on for Unix and Linux.

New features

Version 6.0.0 of the Splunk Add-on for Unix and Linux contains the following new and changed features:

  • Added support for RedHat Enterprise Linux 7.
  • Added support for Solaris 10 and Solaris 11.
  • Linux scripts migrated from net-tools to iproute2 to support current Linux releases.

Script updates

  • netstat.sh (sourcetype=netstat) has been updated. The Proto field no longer contains the IP address type and the State field value is truncated.
    Proto  Recv-Q  Send-Q  LocalAddress          ForeignAddress        State
    tcp         0       0  127.0.0.1:53350       127.0.0.1:8191        ESTAB
    tcp         0       0  127.0.0.1:8191        127.0.0.1:53324       ESTAB
    tcp         0     128  :::22                 :::*                  LISTEN
    tcp         0     100  ::1:25                :::*                  LISTEN
    
  • openPorts.sh (sourcetype=openPorts) has been updated. The protocol field no longer contains the IP address type.
    tcp 22
    tcp 8089
    tcp 25
    tcp 8191
    tcp 8000
    tcp 8065
    tcp 22
    tcp 25
    
  • interfaces.sh (sourcetype=interfaces) has been updated. The inetAddr field now contains the netmask.
    Name  MAC                inetAddr       inet6Addr                    Collisions  RXbytes    RXerrors  TXbytes  TXerrors  Speed      Duplex
    eth0  00:50:56:95:a4:f7  10.0.3.235/20  fe80::250:56ff:fe95:a4f7/64  0           620790375  0         2982390  0         10000Mb/s  Full
    
  • lastlog.sh (sourcetype=lastlog) has been updated. The LATEST field no longer contains the seconds and year in the timestamp, and the FROM field only contains an IP address.
    USERNAME                        FROM                            LATEST
    user1                           10.0.1.1                        Thu Mar 29 13:04
    user2                           10.0.1.1                        Mon Apr 9 14:34
    

Fixed issues

Version 6.0.0 of the Splunk Add-on for Unix and Linux fixed the following issues:

Date resolved Issue number Description
2018-04-12 ADDON-14093 vmstat script error on AIX
2018-03-30 ADDON-12085 recursive search for bash_histories is expensive
2018-03-27 ADDON-14719 Add-on not Supporting current OS Releases
2018-03-27 ADDON-12862, ADDON-12805 vmstat.sh thows ExecProcessor errors on machines with Infiband interfaces
2018-03-23 ADDON-13986 cpu.sh indexed output is missing core number.

Known issues

If no issues appear below, no issues have yet been reported.

Version 6.0.0 of the Splunk Add-on for Unix and Linux has the following known issues:

Date filed Issue number Description
2019-02-05 ADDON-21209 'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations
2019-01-31 ADDON-21184 service.sh outputs time as a service
2018-04-19 ADDON-17763 Getting error log message into SplunkD for rlog.sh script execution for CentOS 7 and RHEL 7.4

Workaround:
Replace

if [ -n "`service auditd status`" -a "$?" -eq 0 ] ; then{code}

in rlog.sh script with

if [ -n "`service auditd status 2>/dev/null`" -a "$?" -eq 0 ] ; then{code}

2018-03-27 ADDON-17560 Data is not getting indexed for service.sh in Ubuntu 14.04

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

PREVIOUS
Source types for the Splunk Add-on for Unix and Linux
  NEXT
Release history for the Splunk Add-on for Unix and Linux

This documentation applies to the following versions of Splunk® Add-on for Unix and Linux: 6.0.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters