Splunk® App for Unix and Linux (Legacy)

Install and Use the Splunk App for Unix and Linux

Acrobat logo Download manual as PDF


On March 13, 2022, the Splunk App for Unix and Linux will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app has migrated to a content pack in Data Integrations. Learn about the Content Pack for Unix Dashboards and Reports.The Splunk Add-on for Unix and Linux remains supported.
This documentation does not apply to the most recent version of Splunk® App for Unix and Linux (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Release notes

This topic contains information on new features, known issues, and updates as we version the Splunk App for Unix and Linux.

What's new

Here's what's new in the latest version of the Splunk App for Unix and Linux:

  • Documentation! This app now has official Splunk documentation that will be maintained with every release of the app.
  • Many bug fixes.
  • New setup and first-time run tools.
  • Enhanced support for AIX.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

  • The app does not properly display a "Results Chart" button above any displayed results. (APP-503)
  • On Ubuntu systems, the "Percent Load by Host" chart does not display any results. The underlying script that feeds this chart, cpu.sh, runs the sar and mpstat binaries, which are not installed by default on an Ubuntu system. To fix the issue, use apt-get to install the sysstat package. (SPL-41361)
  • After installation, a non-user-friendly message is sometimes displayed in the banner area of the active Splunk Web window when Splunk asks the user to restart it. (SPL-44644)
  • The behavior of some of the drop-down menus within the app is inconsistent. (SPL-44692)
  • Some charts for disk-related information do not display properly. (SPL-44697)
  • The interface throughput chart does not display any data, even though there are throughput events coming into the app. (SPL-44699)
  • The search command for displaying differences in selected files is wrong. (SPL-44701)
  • On some Ubuntu installations, there is no detailed information displayed for events with the interface sourcetype. (SPL-44705).
  • On FreeBSD systems, neither the lsof.sh scripted input nor the dashboards based on the lsof source type are functional. (SPL-44786)

Change log (what's been fixed)

  • The app no longer presents a HTTP 500 Internal Server Error sometimes when enabling file and scripted inputs during initial setup. (SPL-44702)
  • The app now properly monitors /var/log/messages and /var/log/secure by default. (SPL-40953)
  • The app now properly detects and logs new users added to the system. (SPL-41491)
  • Problems with some missing event types for the app are now resolved. (SPL-44493, SPL-44494)
  • The app now properly monitors the correct syslog folder on Solaris systems. (SPL-44749)
  • On Linux systems, the app now properly displays real and virtual memory usage statistics. (SPL-44842)
  • The app now properly handles the display of unavailable metrics on various versions of *nix. (SPL-42885)
  • On Solaris 10 systems, information about network interface transactions and duplex is now properly reported. (SPL-42868)
  • Various performance-related saved searches now function properly. (SPL-42866, SPL-42867, SPL-42872, SPL-42878, SPL-42879, SPL-42881, SPL-42895)
  • The "CPU by process" saved search now properly averages percent-CPU statistics. (SPL-42894)
Last modified on 25 October, 2012
PREVIOUS
Dashboard reference 		 

This documentation applies to the following versions of Splunk® App for Unix and Linux (Legacy): 4.5

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters