The documentation for the current version of this Add-on has moved. See the current version of the documentation for the Splunk Add-on for Unix and Linux.
Release notes for the Splunk Add-on for Unix and Linux
Version 6.0.0 of the Splunk Add-on for Unix and Linux was released on May 25, 2018.
Compatibility
Version 6.0.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 6.6.X and later |
| CIM | 4.3 and later |
| Supported OS for data collection | All supported Unix operating systems. See Unix operating systems. |
| Script | CentOS | RHEL | Ubuntu | Solaris | AIX | FreeBSD | Mac OS X | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 6 | 7 | 7.4 | 6.9 | 14.04 | 16.04 | 10 | 11.3 | 11.0 | 7.1 | 7.2 | 9 | 10 | 11 | 10.11 | 10.12 | |
bandwidth.sh
|
Y | Y | Y | Y | Y | Y | Y1 | Y2 | Y | Y | Y | N3 | N3 | N3 | Y | N3 |
common.sh
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
cpu.sh
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N3 |
df.sh
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
hardware.sh
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
interfaces.sh
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
iostat.sh
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N4 | N4 |
lastlog.sh
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | Y | Y | Y | Y | Y |
lsof.sh
|
Y | Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | Y | Y |
netstat.sh
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
openPorts.sh
|
Y5 | Y5 | Y5 | Y5 | Y | Y | Y5 | Y5 | Y5 | Y | Y | Y | Y | Y | Y | Y |
openPortsEnhanced.sh
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | N | N | N | Y | Y |
package.sh
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N6 | N6 | Y | Y |
passwd.sh
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
protocol.sh
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
ps.sh
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y7 | Y7 | Y7 | Y | Y |
rlog.sh
|
Y | Y8 | Y8 | Y | Y9 | Y | N | N | N | N | N | N | N | N | N | N |
selinuxChecker.sh
|
Y | Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | N | N |
service.sh
|
Y | Y | Y | Y | N10 | Y | Y | Y | Y | N | N | N | N | N | Y | Y |
sshdChecker.sh
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | N | N | N | N | N | N | N |
time.sh
|
Y11 | Y11 | Y | Y | Y | Y | Y | Y | Y | Y | Y11 | Y | Y | Y | Y | Y |
top.sh
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
update.sh
|
Y | Y | Y | Y | N | N | N | N | N | N | N | N | N | N | Y | Y |
uptime.sh
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
usersWithoginPrivs.sh
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
version.sh
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
vmstat.sh
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | N |
vsfptdChecker.sh
|
N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N |
who.sh
|
Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y |
Notes
- Supported, requires
netstat -i. The fields rxKB_PS and txKB_PS are set to <n/a> because netstat on Solaris 10 and 11 does not provide this information. - Supported, requires
dlstat. - Not supported,
saris not available. - Not supported,
/bin/darwin_disk_statsis not available. - Supported, script indexes
Headerinformation as an extra event. - Not supported,
pkg_infois deprecated. - Supported, COMMAND field value is truncated.
- Supported, error log messages are included.
- Supported, requires
ausearch. - Not supported,
chkconfigis not available. - Supported, requires
ntpdate.
Upgrade instructions
All users upgrading to the Splunk Add-on for Unix and Linux version 6.0.0 must follow the prerequisite upgrade steps before performing the installation, see Upgrade the Splunk Add-on for Unix and Linux.
New features
Version 6.0.0 of the Splunk Add-on for Unix and Linux contains the following new and changed features:
- Added support for RedHat Enterprise Linux 7.
- Added support for Solaris 10 and Solaris 11.
- Linux scripts migrated from net-tools to iproute2 to support current Linux releases.
Script updates
netstat.sh(sourcetype=netstat) has been updated. The Proto field no longer contains the IP address type and the State field value is truncated.Proto Recv-Q Send-Q LocalAddress ForeignAddress State tcp 0 0 127.0.0.1:53350 127.0.0.1:8191 ESTAB tcp 0 0 127.0.0.1:8191 127.0.0.1:53324 ESTAB tcp 0 128 :::22 :::* LISTEN tcp 0 100 ::1:25 :::* LISTEN
openPorts.sh(sourcetype=openPorts) has been updated. The protocol field no longer contains the IP address type.tcp 22 tcp 8089 tcp 25 tcp 8191 tcp 8000 tcp 8065 tcp 22 tcp 25
interfaces.sh(sourcetype=interfaces) has been updated. The inetAddr field now contains the netmask.Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors TXbytes TXerrors Speed Duplex eth0 00:50:56:95:a4:f7 10.0.3.235/20 fe80::250:56ff:fe95:a4f7/64 0 620790375 0 2982390 0 10000Mb/s Full
lastlog.sh(sourcetype=lastlog) has been updated. The LATEST field no longer contains the seconds and year in the timestamp, and the FROM field only contains an IP address.USERNAME FROM LATEST user1 10.0.1.1 Thu Mar 29 13:04 user2 10.0.1.1 Mon Apr 9 14:34
Fixed issues
Version 6.0.0 of the Splunk Add-on for Unix and Linux fixed the following issues:
| Date resolved | Issue number | Description |
|---|---|---|
| 2018-04-12 | ADDON-14093 | vmstat script error on AIX |
| 2018-03-30 | ADDON-12085 | recursive search for bash_histories is expensive |
| 2018-03-27 | ADDON-12862, ADDON-12805 | vmstat.sh thows ExecProcessor errors on machines with Infiband interfaces |
| 2018-03-23 | ADDON-13986 | cpu.sh indexed output is missing core number. |
Known issues
If no issues appear below, no issues have yet been reported.
Version 6.0.0 of the Splunk Add-on for Unix and Linux has the following known issues:
| Date filed | Issue number | Description |
|---|---|---|
| 2019-02-05 | ADDON-21212 | interfaces script throwing error when touching disabled and not configured interfaces. |
| 2019-02-05 | ADDON-21209 | 'Description' field is not properly extracted from events for service.sh script in CentOS 7 configurations |
| 2019-01-31 | ADDON-21184 | service.sh outputs time as a service |
| 2018-04-19 | ADDON-17763 | Getting error log message into SplunkD for rlog.sh script execution for CentOS 7 and RHEL 7.4 Workaround: Replace
in rlog.sh script with
|
| 2018-04-18 | ADDON-17753 | Truncation of COMMAND field value in UI of FreeBSD 9,10 and 11 version |
| 2018-04-03 | ADDON-17607 | openPorts.sh script indexed "Header" information into Splunk as an extra event. |
| 2018-03-27 | ADDON-17560 | Data is not getting indexed for service.sh in Ubuntu 14.04 |
Third-party software attributions
The Splunk Add-on for Unix and Linux does not use third-party software or libraries.
Last modified on 14 August, 2022
| Source types for the Splunk Add-on for Unix and Linux | Release history for the Splunk Add-on for Unix and Linux |
This documentation applies to the following versions of Splunk® Add-on for Unix and Linux (Legacy): 6.0.0
Download manual
Feedback submitted, thanks!