Splunk® App for Unix and Linux (Legacy)

Install and Use the Splunk App for Unix and Linux

Acrobat logo Download manual as PDF


On March 13, 2022, the Splunk App for Unix and Linux will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app has migrated to a content pack in Data Integrations. Learn about the Content Pack for Unix Dashboards and Reports.The Splunk Add-on for Unix and Linux remains supported.
Acrobat logo Download topic as PDF

What data the Splunk App and Splunk Add-on for Unix and Linux collect

This topic describes what data the Splunk App and Splunk Add-on for Unix and Linux collects.

Data collection

The add-on collects the following data using file inputs:

  • Changes to files present in the /etc directory and subdirectories.
  • Changes to files present in the /var/log directory and subdirectories.

The add-on collects the following data using scripted inputs:

  • CPU statistics via the sar, mpstat and iostat commands (cpu.sh scripted input).
  • Free disk space available for each mount via the df command (df.sh scripted input).
  • Hardware information - CPU type, count, and cache; hard drives; network interface cards and count; and memory via the dmesg, iostat, ifconfig, and df commands (hardware.sh scripted input).
  • Information about the configured network interfaces via the ifconfig and dmesg commands (interfaces.sh scripted input).
  • Input/output statistics for block devices and partitions via the iostat command (iostat.sh scripted input).
  • Last login times for system accounts via the last command (lastlog.sh scripted input).
  • Information about files opened by processes via the lsof command (lsof.sh scripted input).
  • Network connections, routing tables and network interface statistics via the netstat command (netstat.sh scripted input).
  • Available network ports via the netstat command (openPorts.sh scripted input).
  • Information about software packages or sets that are installed on the system via the dpkg-query, pkginfo, and pkg_info commands (package.sh scripted input).
  • Information about TCP/UDP transfer statistics via the netstat command (protocol.sh scripted input).
  • Status of current running processes via the ps command (ps.sh scripted input).
  • Audit information recorded by the auditd daemon to /var/log/audit/audit.log (rlog.sh scripted input).
  • System date and time and NTP server time via the date and ntpdate commands (time.sh scripted input).
  • List of running system processes via the top command (top.sh scripted input).
  • User attribute information for the local system via the /etc/passwd file (usersWithLoginPrivs.sh scripted input).
  • Process related memory usage information via the top, vmstat, and ps commands (vmstat.sh scripted input).
  • Information of all users currently logged in via the who command (who.sh scripted input).

Note: Blank fields returned in events gathered by the scripted inputs described above display as question marks ("?"). This is expected behavior to preserve field spacing, and is not cause for concern.

Index locations

The Splunk Supporting Add-on for Unix and Linux creates two indexes: unix_summary and firedalerts. It uses these indexes to maintain the list of triggered alert events.

Indexing volume

The Splunk App for Unix and Linux collects around 200 megabytes of data per host per day. The app can collect slightly more or less based on individual host activity.

Last modified on 11 October, 2018
PREVIOUS
Platform and hardware requirements
  NEXT
Other deployment considerations

This documentation applies to the following versions of Splunk® App for Unix and Linux (Legacy): 5.2.5, 6.0.0, 6.0.1, 6.0.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters