https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-Home-Metrics-Empty/m-p/116611#M8732 <P>Using Splunk App for Unix 5.0.1</P> <P>I set up a basic category with a couple groups in it with a couple hosts each.</P> <P>Search Head has SA-nix, Splunk_TA_nix, and splunk_app_for_nix installed.</P> <P>Indexers have SA-nix and Splunk_TA_nix installed.</P> <P>UF's have Splunk_TA_nix installed, with inputs enabled.</P> <P>On the SH I go to metrics, then click on a group and I get nothing "No results found..."</P> <P>If I search, (e.g.: index=os sourcetype=cpu) I get all the data I want.</P> <P>Settings/index/sourcetypes are all default, nothing fancy</P> <P>Why are my home screen/metrics screens are empty?</P> Wed, 02 Apr 2014 15:11:16 GMT glitchcowboy 2014-04-02T15:11:16Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-Home-Metrics-Empty/m-p/116611#M8732 <P>Using Splunk App for Unix 5.0.1</P> <P>I set up a basic category with a couple groups in it with a couple hosts each.</P> <P>Search Head has SA-nix, Splunk_TA_nix, and splunk_app_for_nix installed.</P> <P>Indexers have SA-nix and Splunk_TA_nix installed.</P> <P>UF's have Splunk_TA_nix installed, with inputs enabled.</P> <P>On the SH I go to metrics, then click on a group and I get nothing "No results found..."</P> <P>If I search, (e.g.: index=os sourcetype=cpu) I get all the data I want.</P> <P>Settings/index/sourcetypes are all default, nothing fancy</P> <P>Why are my home screen/metrics screens are empty?</P> Wed, 02 Apr 2014 15:11:16 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-Home-Metrics-Empty/m-p/116611#M8732 glitchcowboy 2014-04-02T15:11:16Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-Home-Metrics-Empty/m-p/116612#M8733 <P>which metric are you chosing from the dropdown? If you go to the search inspector, what is the full search generated by the page when you get "no results found"?</P> Wed, 02 Apr 2014 15:26:43 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-Home-Metrics-Empty/m-p/116612#M8733 araitz 2014-04-02T15:26:43Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-Home-Metrics-Empty/m-p/116613#M8734 <P>well, any metric!</P> <P>So I go to Hosts, select a host, and then the process stats has an inspector link.</P> <P>This search has completed and found 1 matching event. However, the transforming commands in the highlighted portion of the following search:</P> <PRE><CODE>search index=os sourcetype=top host=XYZ | stats max(pctCPU) as pctCPU max(pctMEM) as pctMEM last(cpuTIME) as cpuTIME by COMMAND, USER | eval CMD=COMMAND | fields CMD, USER, pctCPU, pctMEM, cpuTIME </CODE></PRE> <P>over the time range:</P> <PRE><CODE>4/2/14 10:30:37.000 AM – 1/1/01 12:00:00.000 AM </CODE></PRE> <P>generated no results.</P> Wed, 02 Apr 2014 15:37:30 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-Home-Metrics-Empty/m-p/116613#M8734 glitchcowboy 2014-04-02T15:37:30Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-Home-Metrics-Empty/m-p/116614#M8735 <P>Wait... If I paste that search in (sans the word 'search'), I get no data, but if I put |multikv| in near the beginning it works. Is there some sort of auto-multikv supposed to be going on here?</P> Wed, 02 Apr 2014 15:42:24 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-Home-Metrics-Empty/m-p/116614#M8735 glitchcowboy 2014-04-02T15:42:24Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-Home-Metrics-Empty/m-p/116615#M8736 <P>Yes, you'll see that in the TA there are the following lines:</P> <PRE><CODE>[cpu] SHOULD_LINEMERGE=false LINE_BREAKER=(^$|[\r\n]+[\r\n]+) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE = multi </CODE></PRE> <P>That last bit says use multi by default. Is it possible that some other app/TA is overriding the TA's config?</P> Wed, 02 Apr 2014 15:52:06 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-Home-Metrics-Empty/m-p/116615#M8736 araitz 2014-04-02T15:52:06Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-Home-Metrics-Empty/m-p/116616#M8737 <P>My SearchHead's Splunk_TA_nix was an empty folder. Thus, the KV_MODE was gone. </P> <P>Replaced Splunk_TA_nix and 'index=os|extract reload=t' and I'm in business.</P> Mon, 28 Sep 2020 16:17:57 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-Home-Metrics-Empty/m-p/116616#M8737 glitchcowboy 2020-09-28T16:17:57Z