Splunk® App for Unix and Linux

Install and Use the Splunk App for Unix and Linux

Acrobat logo Download manual as PDF


On March 13, 2022, the Splunk App for Unix and Linux will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Unix Dashboards and Reports.
Acrobat logo Download topic as PDF

Troubleshoot the Splunk App for Unix and Linux

You can troubleshoot your Splunk App for Unix and Linux deployment if you are experiencing errors or if you are not seeing the data that you expect.

The bubble color differs from the actual value

The bubble in the chart shows the value of the selected parameter from the dropdowns. The color bar sets the color of the bubble, and the color bar shows a value between 1 to 100. If the bubble value is greater than 100, then the value is scaled to keep the number under 100.

Error about the unix_summary index when enabling alerts

This error occurs when you are running a version 5.2.1 or earlier of the Splunk App for Unix and Linux and have not distributed the indexes.conf file to all indexers in your instance. Alerts require this index to function correctly.

Missing or invalid dropdowns.csv

This error occurs when you skip the first-time configuration screen. Complete these two steps to fix it:

  1. Configure the app by selecting Settings from the main app menu.
  2. From the Settings screen, select Categories.

CPU information is not displaying

This error occurs when the sysstat package is not installed on the system that hosts the app. Use your system's package manager to install the package.

Ubuntu systems do not ship with this package by default. Run the following command to add it: apt-get install sysstat

Amazon EC2 Amazon Machine Image (AMI) systems also do not ship with this package installed by default. Run the following command to add it: yum -y install sysstat

Home and Metrics views do not display data

If your Home and Metrics views do not display any data, navigate to the web.conf file on the Splunk platform instance that runs the app and add the following stanza:

[settings]
minify_js = True

If you set minify_js to False, views do not load.

Split pctCPU

The value of pctCPU calculates across all CPU, and not per individual cores. Use searches such as the following to split pctCPU into smaller units:

Search Description

tag=cpu | stats avg(pctUser)

average cpu.user over all CPUs

tag=cpu | stats avg(pctUser) by CPU

average cpu.user per CPU

tag=cpu CPU=1 | stats avg(pctUser) by CPU

average cpu.user of CPU 1

Unable to change colors in radial graph on the Home Dashboard

if you move down the second color picker, and cross it with the first color picker, the bottom-most color does not update due to a technical limitation.

To reflect the changes, refresh the page.

Alert Model isn't opening on the cloud environment

If the Alert Model and Open in Search features aren't working in the Alert dashboard, do the following workaround:

For search head cluster deployments

  1. On the deployer, create a new file with the name savedsearches.conf in the $SPLUNK_HOME/splunk/etc/shcluster/apps/splunk_app_for_nix/local directory.
  2. Add schedule_as=classic in the following alert stanzas:
    • Memory_Exceeds_MB_by_Process
    • Memory_Exceeds_Percent_by_Host
    • Memory_Exceeds_MB_by_Host
    • CPU_Exceeds_Percent_by_Host
    • CPU_Under_Percent_by_Host
    • Load_Exceeds_by_Host
    • Threads_Exceeds_by_Host
    • Processes_Exceeds_by_Host
    • Disk_Used_Exceeds_Percent_by_Host
    • Open_Files_Exceeds_by_Process
    • IO_Wait_Exceeds_Threshold
    • IO_Utilization_Exceeds_Threshold
    Here's an example alert stanza:
    [Memory_Exceeds_MB_by_Process]
    schedule_as = classic
    
  3. Push the updated app bundle from the deployer. The deployer restarts all the search head cluster members after the update is applied. If the deployer does not restart the search head cluster members, perform a rolling restart.

For dedicated search head deployments

  1. On the search head, create a new file with the name savedsearches.conf in the $SPLUNK_HOME/splunk/etc/apps/splunk_app_for_nix/local directory.
  2. Add schedule_as=classic in the following alert stanzas:
    • Memory_Exceeds_MB_by_Process
    • Memory_Exceeds_Percent_by_Host
    • Memory_Exceeds_MB_by_Host
    • CPU_Exceeds_Percent_by_Host
    • CPU_Under_Percent_by_Host
    • Load_Exceeds_by_Host
    • Threads_Exceeds_by_Host
    • Processes_Exceeds_by_Host
    • Disk_Used_Exceeds_Percent_by_Host
    • Open_Files_Exceeds_by_Process
    • IO_Wait_Exceeds_Threshold
    • IO_Utilization_Exceeds_Threshold
    Here's an example of the stanza:
    [Memory_Exceeds_MB_by_Process]
    schedule_as = classic
    
  3. Restart the Splunk instance
Last modified on 02 June, 2021
PREVIOUS
Use the Alerts dashboard
  NEXT
Create custom alerts

This documentation applies to the following versions of Splunk® App for Unix and Linux: 6.0.0, 6.0.1, 6.0.2


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters