The documentation for the current version of this Add-on has moved. See the current version of the documentation for the Splunk Add-on for Unix and Linux.
Release history for the Splunk Add-on for Unix and Linux
Latest Release
The latest version of the Splunk Add-on for Unix and Linux is version 6.0.0. See Release notes for the Splunk Add-on for Unix and Linux for release notes of this latest version.
Version 5.2.4
The Splunk Add-on for Unix and Linux was last updated in December 2017.
What's new
See the known issues and fixed issues of these release notes for product updates.
Fixed issues
Version 5.2.4 of the Splunk Add-on for Unix and Linux fixed the following issues:
| Date resolved | Issue number | Description |
|---|---|---|
| 2017-04-17 | ADDON-8472 | Logic failure in rlog.sh creates duplicates when the seekpointer file cannot be updated and silently fails |
| 2017-03-28 | ADDON-13680 | The dest field is not extracted for some events |
Known Issues
Version 5.2.4 of the Splunk Add-on for Unix and Linux has the following known issues:
| Date filed | Issue number | Description |
|---|---|---|
| 2019-04-24 | ADDON-21887 | cpu.sh and vmstat.sh return aggregate results for SunOS as opposed to snapshot Workaround: Current workaround is to implement (for example): mpstat -p 1 2 as opposed to mpstat -p 1 1 to reflect the most recent non-aggregated result from the script output. |
| 2018-08-27 | ADDON-19194 | Incorrect value in swapUsedPct field in FreeBSD os |
| 2018-04-18 | ADDON-17753 | Truncation of COMMAND field value in UI of FreeBSD 9,10 and 11 version |
| 2018-04-18 | ADDON-17747 | package.sh not working in FreeBSD 10 and FreeBSD 11 |
| 2018-04-03 | ADDON-17607 | openPorts.sh script indexed "Header" information into Splunk as an extra event. |
| 2018-03-28 | ADDON-17571 | AWS TA and *nix TA lack spec files for eventgen.conf, which causes cluster bundle validation errors, and breaks Manage Indexes page in clustered Splunk Cloud Workaround: Splunk Cloud customers who cannot create indexes on their own due to this bug should file a support case when they need new indexes created. |
| 2018-03-20 | ADDON-17448 | CPU core is not properly indexed with Splunk_TA_nix with FreeBSD11 OS |
| 2018-03-19 | ADDON-17431 | Eventtype unix_runlevel_change name mismatch in eventtypes.conf and tags.conf |
| 2017-03-13 | ADDON-14093 | vmstat script error on AIX |
| 2017-03-06 | ADDON-13986 | cpu.sh indexed output is missing core number. Workaround: Edit contents of cpu.sh script as follows: #Need to change to always be 24Hour time with export LC_TIME=POSIX
export LC_TIME='POSIX'
FORMAT='{cpu=$2; pctUser=$3; pctNice=$4; pctSystem=$5; pctIowait=$6; pctSteal=$7; pctIdle=$NF}'
|
| 2016-11-10 | ADDON-12085 | recursive search for bash_histories is expensive |
Version 5.2.3
The Splunk Add-on for Unix and Linux was last updated on Tuesday, April 5, 2016.
What's new
Here's what's new in the latest version of the Splunk App for Unix and Linux:
| Publication date | Defect number | Description |
| 2016-4-5 | TAG-11060 | The add-on has been updated to provide better support for Key Performance Indicators (KPIs) for the Splunk IT Service Intelligence OS Module. |
Current known issues
The Splunk App for Unix and Linux has the following known issues:
| Publication date | Defect number | Description |
| 2016-2-29 | TAG-10164 | On some versions of Linux (for example, RedHat), the rlog.sh scripted input improperly calls for the status of the auditd service, which forces the OS to redirect the call to the right service and generates an error in splunkd.log.
|
| 2015-12-15 | TAG-4275 | The scripts that come with the add-on rely on system utilities to run properly. If those utilities are not present, the scripts exit silently. |
Change Log (what's been fixed)
| Publication date | Defect number | Description |
| 2016-4-5 | TAG-11059 | The add-on has been updated to provide better support for Key Performance Indicators (KPIs) for the Splunk IT Service Intelligence OS Module. |
Version 5.2.2
The Splunk Add-on for Unix and Linux was last updated on Monday, February 29, 2016.
What's new
Here's what's new in the latest version of the Splunk App for Unix and Linux:
| Publication date | Defect number | Description |
| 2016-2-29 | N/A | Bug fixes. |
| 2016-2-29 | TAG-10606 | Event type definitions in the add-on have been updated to improve performance. |
Current known issues
The Splunk App for Unix and Linux has the following known issues:
| Publication date | Defect number | Description |
| 2016-2-29 | TAG-10164 | On some versions of Linux (for example, RedHat), the rlog.sh scripted input improperly calls for the status of the auditd service, which forces the OS to redirect the call to the right service and generates an error in splunkd.log.
|
| 2015-12-15 | TAG-4275 | The scripts that come with the add-on rely on system utilities to run properly. If those utilities are not present, the scripts exit silently. |
Change Log (what's been fixed)
| Publication date | Defect number | Description |
| 2016-2-29 | TAG-10606 | Event type definitions in the add-on have been updated to improve performance. |
| 2016-2-29 | TAG-10537 | The add-on now determines the correct operating system version numbers on hosts that run AIX and Solaris. |
| 2016-2-29 | TAG-10474 | A typo in a field transformation that referenced an invalid FORMAT argument has been fixed.
|
| 2016-2-29 | TAG-9922 | The add-on has been updated to not expose file and scripted input configuration controls on Splunk Cloud installations. |
Version 5.2.1
The Splunk Add-on for Unix and Linux was last updated on Tuesday, December 15, 2015.
What's new
Here's what's new in the latest version of the Splunk App for Unix and Linux:
| Publication date | Defect number | Description |
| 2015-12-15 | N/A | Bug fixes. |
Current known issues
The Splunk App for Unix and Linux has the following known issues:
| Publication date | Defect number | Description |
| 2015-12-15 | TAG-4275 | On hosts that run AIX, the vmstat.sh script does not produce output.
|
Change Log (what's been fixed)
| Publication date | Defect number | Description |
| 2015-12-15 | TAG-10147 | A problem with vmstat.sh where space-delimited and tab-delimited entries were intermingled was fixed.
|
| 2015-12-15 | TAG-10213 | The add-on has been updated to move some of the data it collects into a data model. This is for use with the OS Module for Splunk IT Service Intelligence. |
| 2015-12-15 | TAG-4211 | A problem where the rlog.sh and [monitor://var/log] stanzas within the add-on collected audit.log twice (in different ways) was fixed.
|
Version 5.2.0
The Splunk Add-on for Unix and Linux was last updated on Friday, September 18, 2015.
What's new
Here's what's new in the latest version of the Splunk App for Unix and Linux:
| Publication date | Defect number | Description |
| 2015-9-18 | N/A | Bug fixes. |
| 2015-9-18 | N/A | The app has been updated to be compatible with Splunk Enterprise version 6.3. |
Current known issues
The Splunk App for Unix and Linux has the following known issues:
| Publication date | Defect number | Description |
| 2015-10-13 | TAG-4211 | The rlog.sh scripted input and [monitor:///var/log] input stanza both collect audit.log, although in slightly different formats. This might result in duplicate data collection. To work around this problem, add a blacklist to the [monitor:///var/log] stanza:
[monitor:///var/log] whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out) blacklist=(audit.log|lastlog|anaconda\.syslog) index=os disabled = 1 |
Change Log (what's been fixed)
| Publication date | Defect number | Description |
| 2015-9-18 | TAG-9589 | The add-on no longer breaks search-time extractions for syslog on upgrade.
|
| 2015-9-18 | TAG-9482 | The add-on no longer reports incorrect CPU usage when installed on a Solaris 10 host. |
| 2015-9-18 | TAG-9353 | The storage, storage_used, and storage_free fields now display data in megabytes instead of bytes.
|
| 2015-9-18 | TAG-9312 | The rlog.sh scripted input now reads the first line of the audit.log file. This fixes a problem where events in Splunk Enterprise did not reflect all contents of the file.
|
| 2015-9-18 | TAG-9220 | The package.sh scripted input now populates the RELEASE field on Debian Linux systems.
|
| 2015-9-18 | TAG-3913 | The regular expression that defines line breaking patterns for the add-on no longer generates spurious errors in the line-breaking processor. |
Version 5.1.2
The Splunk Add-on for Unix and Linux was last updated on Wednesday, April 1, 2015.
What's new
Here's what's new in the latest version of the Splunk App for Unix and Linux:
- Bug fixes.
Current known issues
The Splunk App for Unix and Linux has the following known issues:
- The values for total, used, and free memory that the
vmstat.shscript displays differ from the values that the nativevmstatcommand displays. This is becausevmstat.shcounts swap cache memory and buffer memory as part of the total free memory available, and subtracts this from total memory to get used memory. This is by design. (TAG-4014, TAG-9010) - The vmstat scripted input does not work on AIX. (TAG-4518)
- On Linux systems, the
cpu.shscript does not display the%stealCPU counter. (TAG-4114) - Due to how Mac OS X configures OpenSSL, any Splunk Add-on for Unix and Linux scripts that use a hash (such as
openPortsEnhanced.sh,passwd.sh, andsshdChecker.sh) do not work by default. To work around the problem, set theDYLD_LIBRARY_PATHvariable as follows:
export SPLUNK_HOME=<location of Splunk installation> export DYLD_LIBRARY_PATH=$SPLUNK_HOME/lib
(NIX-649, SPL-78856)
- Using the latest version of Sideview Utils with the add-on causes a problem where dashboards do not populate despite the availability of data. To work around the problem, use version 1.3.5 or earlier of Sideview Utils. (NIX-646)
- When you install the app and point it at the indexes which contain your *nix data, it might take up to 15 seconds for that data to begin showing up in the app. This is due to lookup generation. (NIX-467)
- The colors in the Metrics Viewer graphs do not update correctly if you transpose sliders in the Metrics Viewer's threshold bar. (NIX-428)
- When in node view, the Hosts dashboard sometimes shows inconsistent colors with respect to the detailed view colors. (NIX-353, NIX-409)
- When you use Firefox to access the Splunk App for Unix and Linux, the radial graphs in the Home dashboard sometimes do not display correctly. The slices within the graphs sometimes spill out of their containers. To work around the problem, refresh the page. (NIX-370, NIX-413)
- On HP/UX systems, there is no way to obtain the number of threads on a system. This means that the
vmstatscripted inputs will always return "?" for threads columns on HP/UX. - On Solaris systems, the
hardware.shscripted input sometimes returns empty values for some entries. (NIX-42) - If you clone an existing alert saved search, you cannot edit the search using the "Settings: Alerts" configuration page. (NIX-537)
- You cannot create custom alerts using Splunk Web; you must do so with configuration files. (NIX-536)
- If you remove the default group, you sometimes receive an error "
Unknown search command: 'all'" when you load the Home page. (NIX-560) - In the Hosts page, if you do not wait for all data on a host information card to load before pinning that card, when you select another host, the original host information card does not remain pinned. (NIX-320)
- The app's scripted inputs do not work when the directory that they are hosted in contains spaces. This is particularly an issue with Mac OS X. (NIX-570)
- The full-screen NOC screen legends do not display correctly in Chrome. (NIX-584)
- You are not able to drill down into a specific host on the Hosts dashboard. (NIX-587)
Change Log (what's been fixed)
- Copyright information for the add-on has been updated and corrected. (TAG-9244)
- The add-on no longer incorrectly displays in the Splunk Light Dashboards page. (TAG-9182)
- The
su_authenticationevent type within the add-on now has bettersucommand event-matching logic. (TAG-8938) - The
uptime.shscript in the add-on now handlespsoutput properly on HP-UX machines. (TAG-4204) - An unnecessary transform for WMI installed apps has been removed. (TAG-4191)
- The
top.shscript now accounts for the fact that, starting with Mac OS X version 10.9 Mavericks and later, there is norshrd(resident shared address space size) statistic for thetopcommand. On Mac OSX 10.9 Mavericks and later, the script now outputs "?" for that statistic, instead of generating an error. (TAG-4077) - The add-on no longer attempts to automatically learn new source types when you tell it to monitor large directories. (TAG-3986)
Version 5.1.1
The Splunk Add-on for Unix and Linux was last updated on Friday, February 13, 2015.
What's new
Here's what's new in the latest version of the Splunk App for Unix and Linux:
- Bug fixes.
- Feature additions to better work with Splunk Light (TAG-3983, TAG-8913).
Current known issues
The Splunk App for Unix and Linux has the following known issues:
- The values for total, used, and free memory that the
vmstat.shscript displays differ from the values displayed by the nativevmstatcommand. This is becausevmstat.shcounts swap cache memory and buffer memory as part of the total free memory available, and subtracts this from total memory to get used memory. This is by design. (TAG-4014, TAG-9010) - On Linux systems, the
cpu.shscript does not display the%stealCPU counter. (TAG-4114) - Due to how Mac OS X configures OpenSSL, any Splunk Add-on for Unix and Linux scripts that use a hash (such as
openPortsEnhanced.sh,passwd.sh, andsshdChecker.sh) do not work by default. To work around the problem, set theDYLD_LIBRARY_PATHvariable as follows:
export SPLUNK_HOME=<location of Splunk installation> export DYLD_LIBRARY_PATH=$SPLUNK_HOME/lib
(NIX-649, SPL-78856)
- Using the latest version of Sideview Utils with the add-on causes a problem where dashboards do not populate despite the availability of data. To work around the problem, use version 1.3.5 or earlier of Sideview Utils. (NIX-646)
- When you install the app and point it at the indexes which contain your *nix data, it might take up to 15 seconds for that data to begin showing up in the app. This is due to lookup generation. (NIX-467)
- The colors in the Metrics Viewer graphs do not update correctly if you transpose sliders in the Metrics Viewer's threshold bar. (NIX-428)
- When in node view, the Hosts dashboard sometimes shows inconsistent colors with respect to the detailed view colors. (NIX-353, NIX-409)
- When you use Firefox to access the Splunk App for Unix and Linux, the radial graphs in the Home dashboard sometimes do not display correctly. The slices within the graphs sometimes spill out of their containers. To work around the problem, refresh the page. (NIX-370, NIX-413)
- On HP/UX systems, there is no way to obtain the number of threads on a system. This means that the
vmstatscripted inputs will always return "?" for threads columns on HP/UX. - On Solaris systems, the
hardware.shscripted input sometimes returns empty values for some entries. (NIX-42) - If you clone an existing alert saved search, you cannot edit the search using the "Settings: Alerts" configuration page. (NIX-537)
- You cannot create custom alerts using Splunk Web; you must do so with configuration files. (NIX-536)
- If you remove the default group, you sometimes receive an error "
Unknown search command: 'all'" when you load the Home page. (NIX-560) - In the Hosts page, if you do not wait for all data on a host information card to load before pinning that card, when you select another host, the original host information card does not remain pinned. (NIX-320)
- The app's scripted inputs do not work when the directory that they are hosted in contains spaces. This is particularly an issue with Mac OS X. (NIX-570)
- The full-screen NOC screen legends do not display correctly in Chrome. (NIX-584)
- You are not able to drill down into a specific host on the Hosts dashboard. (NIX-587)
Change Log (what's been fixed)
- A cosmetic issue with the "Reset" button on the add-on configuration page has been fixed. (TAG-3976)
- The documentation links in the add-on now go to valid places. (TAG-4421)
Version 5.1.0
The Splunk Add-on for Unix and Linux was last updated on Monday, October 6, 2014.
What's new
Here's what's new in the latest version of the Splunk App for Unix and Linux:
- Bug fixes.
- Feature additions to better work with the Splunk App for Enterprise Security.
- The add-on now contains some knowledge layer improvements. (NIX-638)
- The add-on now normalizes timestamps to work with the Change_Analysis data model. (NIX-668)
- The add-on now has higher-resolution icons. (NIX-660)
Current known issues
The Splunk App for Unix and Linux has the following known issues:
- The values for total, used, and free memory that the
vmstat.shscript displays differ from the values displayed by the nativevmstatcommand. This is becausevmstat.shcounts swap cache memory and buffer memory as part of the total free memory available, and subtracts this from total memory to get used memory. This is by design. (TAG-4014, TAG-9010) - Due to how Mac OS X configures OpenSSL, any Splunk Add-on for Unix and Linux scripts that use a hash (such as
openPortsEnhanced.sh,passwd.sh, andsshdChecker.sh) do not work by default. To work around the problem, set theDYLD_LIBRARY_PATHvariable as follows:
export SPLUNK_HOME=<location of Splunk installation> export DYLD_LIBRARY_PATH=$SPLUNK_HOME/lib
(NIX-649, SPL-78856)
- Using the latest version of Sideview Utils with the add-on causes a problem where dashboards do not populate despite the availability of data. To work around the problem, use version 1.3.5 or earlier of Sideview Utils. (NIX-646)
- When you install the app and point it at the indexes which contain your *nix data, it might take up to 15 seconds for that data to begin showing up in the app. This is due to lookup generation. (NIX-467)
- The colors in the Metrics Viewer graphs do not update correctly if you transpose sliders in the Metrics Viewer's threshold bar. (NIX-428)
- When in node view, the Hosts dashboard sometimes shows inconsistent colors with respect to the detailed view colors. (NIX-353, NIX-409)
- When you use Firefox to access the Splunk App for Unix and Linux, the radial graphs in the Home dashboard sometimes do not display correctly. The slices within the graphs sometimes spill out of their containers. To work around the problem, refresh the page. (NIX-370, NIX-413)
- On HP/UX systems, there is no way to obtain the number of threads on a system. This means that the
vmstatscripted inputs will always return "?" for threads columns on HP/UX. - On Solaris systems, the
hardware.shscripted input sometimes returns empty values for some entries. (NIX-42) - If you clone an existing alert saved search, you cannot edit the search using the "Settings: Alerts" configuration page. (NIX-537)
- You cannot create custom alerts using Splunk Web; you must do so with configuration files. (NIX-536)
- If you remove the default group, you sometimes receive an error "
Unknown search command: 'all'" when you load the Home page. (NIX-560) - In the Hosts page, if you do not wait for all data on a host information card to load before pinning that card, when you select another host, the original host information card does not remain pinned. (NIX-320)
- The app's scripted inputs do not work when the directory that they are hosted in contains spaces. This is particularly an issue with Mac OS X. (NIX-570)
- The full-screen NOC screen legends do not display correctly in Chrome. (NIX-584)
- You are not able to drill down into a specific host on the Hosts dashboard. (NIX-587)
Change Log (what's been fixed)
- A problem with the first-time run experience where a file rename would cause the experience to repeat continuously was fixed. (NIX-664)
- A search macro definition for network monitoring that conflicted with a similar definition in the Splunk Add-on for Windows was corrected. (NIX-663)
- Values defined within stanzas in some configuration files now have proper URI encodings. (NIX-656)
- The
vmstat.shscript now properly returns results on systems with more than one mass storage device. (NIX-648) - A problem where event type searches generated false positives because they include the summary index has been fixed. (NIX-644)
- The Splunk Supporting App for Unix and Linux (SA-Nix) no longer overwrites the
actionfield. (NIX-641) - A search-time field extraction that referenced the
syslogsource type has been removed. (NIX-634) - A typo in the
version.shscript has been corrected. (NIX-630) - The
setup.shscript now properly accepts the--authargument. This enables users to use the script to log into their Splunk Enterprise instance while setting up the Splunk App for Unix and Linux from the command line. (NIX-624) - A customer-submitted patch to
interfaces.shimproves how that script gathers network interface error statistics. (NIX-623)
Last modified on 02 November, 2021
| Release notes for the Splunk Add-on for Unix and Linux | Hardware and software requirements for the Splunk Add-on for Unix and Linux |
This documentation applies to the following versions of Splunk® Add-on for Unix and Linux (Legacy): 6.0.0
Download manual
Feedback submitted, thanks!