Splunk® App for Unix and Linux (Legacy)

Install and Use the Splunk App for Unix and Linux

On March 13, 2022, the Splunk App for Unix and Linux will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app has migrated to a content pack in Data Integrations. Learn about the Content Pack for Unix Dashboards and Reports.The Splunk Add-on for Unix and Linux remains supported.
This documentation does not apply to the most recent version of Splunk® App for Unix and Linux (Legacy). For documentation on the most recent version, go to the latest release.

What data the Splunk TA for Unix and Linux collects

This topic describes what data the Splunk TA for Unix and Linux collects.

The TA collects the following data using file inputs:

  • Changes to files present in the /etc directory and subdirectories.
  • Changes to files present in the /var/log directory and subdirectories.

The TA collects the following data using scripted inputs:

  • CPU statistics via the sar, mpstat and iostat commands (cpu.sh scripted input).
  • Free disk space available for each mount via the df command (df.sh scripted input).
  • Hardware information - CPU type, count, and cache; hard drives; network interface cards and count; and memory via the dmesg, iostat, ifconfig, and df commands (hardware.sh scripted input).
  • Information about the configured network interfaces via the ifconfig and dmesg commands (interfaces.sh scripted input).
  • Input/output statistics for block devices and partitions via the iostat command (iostat.sh scripted input).
  • Last login times for system accounts via the last command (lastlog.sh scripted input).
  • Information about files opened by processes via the lsof command (lsof.sh scripted input).
  • Network connections, routing tables and network interface statistics via the netstat command (netstat.sh scripted input).
  • Available network ports via the netstat command (openPorts.sh and openPortsEnhanced.sh scripted inputs).
  • Information about software packages or sets that are installed on the system via the dpkg-query, pkginfo, and pkg_info commands (package.sh scripted input).
  • User nformation via the /etc/passwd file (passwd.sh scripted input)
  • Information about TCP/UDP transfer statistics via the netstat command (protocol.sh scripted input).
  • Status of current running processes via the ps command (ps.sh scripted input).
  • Audit information recorded by the auditd daemon to /var/log/audit/audit.log (rlog.sh scripted input).
  • Information on the status of SELinux on the system (selinuxChecker.sh scripted input).
  • Information on installed services via the chkconfig (for Linux) or svcs (for Solaris) commands, or via a listing of the StartupItems directories for OS X (service.sh scripted input).
  • Information on the secure shell daemon (sshd) configuration (sshdChecker.sh scripted input).
  • System date and time and NTP server time via the date and ntpdate commands (time.sh scripted input).
  • List of running system processes via the top command (top.sh scripted input).
  • Information on the versions of software packages installed on the system via the yum (for Linux) and softwareupdate (for OS X) commands (update.sh scripted input).
  • Information on the system's uptime (via the ps command (uptime.sh scripted input).
  • Information about the system's kernel version and architecture via the uname command (version.sh scripted input).
  • User attribute information for the local system via the /etc/passwd file (usersWithLoginPrivs.sh scripted input).
  • Process related memory usage information via the top, vmstat, and ps commands (vmstat.sh scripted input).
  • Information of all users currently logged in via the who command (who.sh scripted input).
  • Information on the status and configuration of the Very Secure FTP daemon (VSFTPD) (vsftpdChecker.sh scripted input).


The Splunk Technology Add-on for Unix and Linux puts all the data it indexes into a special index called os.

Note: Blank fields returned in events gathered by the scripted inputs described above are displayed as question marks ("?"). This is expected behavior to preserve field spacing, and is not cause for concern.

Last modified on 03 April, 2013
Platform and hardware requirements   Other deployment considerations

This documentation applies to the following versions of Splunk® App for Unix and Linux (Legacy): 4.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters