https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Unix-and-Linux-coming-up-empty/m-p/123436#M9594 <P>Well I think you've found your own problem. Doesn't sound like the TA-nix is installed on your search head. Not sure how that can be? Here's the stanza from Splunk_TA_nix/default/props.conf:</P> <PRE><CODE> [top] SHOULD_LINEMERGE=false LINE_BREAKER=(^$|[\r\n]+[\r\n]+) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE=multi </CODE></PRE> Mon, 28 Sep 2020 16:57:04 GMT araitz 2020-09-28T16:57:04Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Unix-and-Linux-coming-up-empty/m-p/123430#M9588 <P>I'm in the process of setting up the Splunk App for Unix and Linux and the Splunk Add-on for Unix and Linux.</P> <P>I've installed and configured the App via Splunk Web (which runs on a Windows box) using default settings. I've installed the Add-on on one of my Linux boxes and enabled all of the default inputs using default settings. I've got data flowing into the "os" index.</P> <P>But...all of the App dashboards are coming up empty/"No results found."</P> <P>Here's a screenshot of the Hosts dashboard, showing the information for the one Linux host I've configured:<BR /> <IMG src="http://answers.splunk.com//storage/app4nix_hosts.jpg" alt="Hosts dashboard, all info &quot;unknown&quot;" /></P> <P>Using the "Process Status" as an example (since it's easy to inspect), I get:<BR /><CODE>This search has completed and found 5 matching events. However, the transforming commands in the highlighted portion of the following search:</CODE></P> <P>search index=os sourcetype=top host=my-host-name | <STRONG>stats max(pctCPU) as pctCPU max(pctMEM) as pctMEM last(cpuTIME) as cpuTIME by COMMAND, USER | eval CMD=COMMAND | fields CMD, USER, pctCPU, pctMEM, cpuTIME</STRONG></P> <P>generated no results.</P> <P>If I run the <CODE>search</CODE> command portion (excluding the <CODE>stats</CODE> command and everything after it), I get events that look like this (screenshot #2); I assume this format normal:<BR /> <IMG src="http://answers.splunk.com//storage/app4nix_st-top_raw.jpg" alt="Sample event from index=os sourcetype=top host=my-host-name" /></P> <P>Argh! So, what am I missing?</P> Fri, 27 Jun 2014 21:49:59 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Unix-and-Linux-coming-up-empty/m-p/123430#M9588 redc 2014-06-27T21:49:59Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Unix-and-Linux-coming-up-empty/m-p/123431#M9589 <P>Did you follow the prompt from the home page to set up the app? Did you read through the docs on first time configuration?</P> <P><A href="http://docs.splunk.com/Documentation/UnixApp/latest/User/First-timeconfiguration">http://docs.splunk.com/Documentation/UnixApp/latest/User/First-timeconfiguration</A></P> Fri, 27 Jun 2014 21:55:59 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Unix-and-Linux-coming-up-empty/m-p/123431#M9589 araitz 2014-06-27T21:55:59Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Unix-and-Linux-coming-up-empty/m-p/123432#M9590 <P>I don't know what to tell you about the app in general, but I know what is wrong with this particular search!</P> <PRE><CODE>index=os sourcetype=top host=my-host-name | multikv | stats max(pctCPU) as pctCPU max(pctMEM) as pctMEM last(cpuTIME) as cpuTIME by COMMAND, USER | eval CMD=COMMAND | fields CMD, USER, pctCPU, pctMEM, cpuTIME </CODE></PRE> <P>My only other suggestion is that you check the versions of the app and the add-on - there may be older and newer versions, and you should be sure to use versions of the two that work together...</P> <P>There is a manual for the app at <A href="http://docs.splunk.com/Documentation/UnixApp/latest/User/AbouttheSplunkAppforUnix">Splunk App for Linux and Unix</A></P> Fri, 27 Jun 2014 21:57:11 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Unix-and-Linux-coming-up-empty/m-p/123432#M9590 lguinn2 2014-06-27T21:57:11Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Unix-and-Linux-coming-up-empty/m-p/123433#M9591 <P>@lguinn - the nix TA runs KV_MODE=MULTI automatically, so running multikv explicitly is not required.</P> Fri, 27 Jun 2014 22:01:21 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Unix-and-Linux-coming-up-empty/m-p/123433#M9591 araitz 2014-06-27T22:01:21Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Unix-and-Linux-coming-up-empty/m-p/123434#M9592 <P>The bottom screenshot is the data that should be filling the "Process Status" portion of the first screenshot, <EM>NOT</EM> the cpu.sh, vmstat.sh, and df.sh portions in the "Specification" and "System Status" portions. Those three inputs are also sending data to the "os" index but getting the same "transforming commands" generated no results error as above.</P> <P>Yes, I performed the actions in that document, up to the alerts portion (I'm not ready yet to start alerts flowing), including deleting the auto-created "all_hosts" and "default" category/group in order to configure my own.</P> Fri, 27 Jun 2014 22:02:58 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Unix-and-Linux-coming-up-empty/m-p/123434#M9592 redc 2014-06-27T22:02:58Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Unix-and-Linux-coming-up-empty/m-p/123435#M9593 <P>Just for kicks, I tried this by running the search manually and it <STRONG>does</STRONG> generate output where before it doesn't. Sorry @araitz.</P> <P>However, I find it odd that the app doesn't do this "out of the box" since I would expect there to always be multiple commands/users running on any given server (or at least, for that to be the case more often than not).</P> <P>But is this the solution? Since I haven't seen what this dashboard <STRONG>should</STRONG> look like when it's working correctly, I'm not sure if this produces the correct results.</P> Fri, 27 Jun 2014 22:07:47 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Unix-and-Linux-coming-up-empty/m-p/123435#M9593 redc 2014-06-27T22:07:47Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Unix-and-Linux-coming-up-empty/m-p/123436#M9594 <P>Well I think you've found your own problem. Doesn't sound like the TA-nix is installed on your search head. Not sure how that can be? Here's the stanza from Splunk_TA_nix/default/props.conf:</P> <PRE><CODE> [top] SHOULD_LINEMERGE=false LINE_BREAKER=(^$|[\r\n]+[\r\n]+) TRUNCATE=1000000 DATETIME_CONFIG = CURRENT KV_MODE=multi </CODE></PRE> Mon, 28 Sep 2020 16:57:04 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Unix-and-Linux-coming-up-empty/m-p/123436#M9594 araitz 2020-09-28T16:57:04Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Unix-and-Linux-coming-up-empty/m-p/123437#M9595 <P>Ah-ha. I'd installed it, but it was disabled. Enabling the Splunk_TA_nix on the search head solved it.</P> Mon, 28 Sep 2020 16:57:08 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Unix-and-Linux-coming-up-empty/m-p/123437#M9595 redc 2020-09-28T16:57:08Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Unix-and-Linux-coming-up-empty/m-p/123438#M9596 <P>See above comment - answers won't let me move it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 27 Jun 2014 22:39:22 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Unix-and-Linux-coming-up-empty/m-p/123438#M9596 araitz 2014-06-27T22:39:22Z