https://community.splunk.com/t5/Splunk-ITSI/ITSI-OS-Module-documentation-issues-inputs-for-event-metrics/m-p/604396#M2543 <P>I've noticed an issue with the documentation and configuration for&nbsp;<SPAN>DA-ITSI-OS.<BR /><BR /><A href="https://docs.splunk.com/Documentation/ITSI/4.13.1/IModules/OSmoduleconfiguration" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/ITSI/4.13.1/IModules/OSmoduleconfiguration</A><BR /><BR />Firstly, the documentation suggests that If using Splunk_TA_nix, I should enable metrics inputs with the following:<BR /><BR /></SPAN></P> <PRE>[script://./bin/vmstat.sh] interval = 60 sourcetype = vmstat source = vmstat # index = os disabled = 0 [script://./bin/iostat.sh] interval = 60 sourcetype = iostat source = iostat # index = os disabled = 0 [script://./bin/nfsiostat.sh] interval = 60 sourcetype = nfsiostat source = nfsiostat # index = os disabled = 0 [script://./bin/ps.sh] interval = 30 sourcetype = ps source = ps # index = os disabled = 0 [script://./bin/bandwidth.sh] interval = 60 sourcetype = bandwidth source = bandwidth # index = os disabled = 0 [script://./bin/df.sh] interval = 300 sourcetype = df source = df # index = os disabled = 0 [script://./bin/cpu.sh] sourcetype = cpu source = cpu interval = 30 # index = os disabled = 0 [script://./bin/hardware.sh] sourcetype = hardware source = hardware interval = 36000 # index = os disabled = 0 [script://./bin/version.sh] disabled = false # index = os interval = 86400 source = Unix:Version sourcetype = Unix:Version</PRE> <P><SPAN><BR />The problem is, that these are inputs for event metrics and everything else is set up for metrics!<BR /><BR />In the actual Splunk_TA_nix, the inputs for metrics versions of those scripts have a different stanza, such as<BR /></SPAN></P> <PRE>cpu_metric df_metric interfaces_metric iostat_metric ps_metric vmstat_metric</PRE> <P><SPAN>If I simply change the sourcetype, it breaks the input, so by default, all those metrics based scripts output with the metric name using the _metric suffix.<BR /><BR />Unfortunately, ALL the ITSI OS module searches are looking for the un suffixed metric names, E.G. cpu, ps, vmstat!<BR /><BR />If I alter the searches to look for the updated suffixed metric names, I don't get the OS Host Information panel appearing on the entity within the deep dive or entity view.<BR /><BR />So I don't know how, under the configured&nbsp;searches, any of this will work unless heavily modified, or why the documentation points to event log collection scripts&nbsp; but the module requires metrics indexes given the use of mstats to search.<BR /><BR />What am I missing here?<BR /><BR /><BR /><BR /></SPAN></P> Wed, 19 Oct 2022 16:42:34 GMT griersoncrick 2022-10-19T16:42:34Z https://community.splunk.com/t5/Splunk-ITSI/ITSI-OS-Module-documentation-issues-inputs-for-event-metrics/m-p/604396#M2543 <P>I've noticed an issue with the documentation and configuration for&nbsp;<SPAN>DA-ITSI-OS.<BR /><BR /><A href="https://docs.splunk.com/Documentation/ITSI/4.13.1/IModules/OSmoduleconfiguration" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/ITSI/4.13.1/IModules/OSmoduleconfiguration</A><BR /><BR />Firstly, the documentation suggests that If using Splunk_TA_nix, I should enable metrics inputs with the following:<BR /><BR /></SPAN></P> <PRE>[script://./bin/vmstat.sh] interval = 60 sourcetype = vmstat source = vmstat # index = os disabled = 0 [script://./bin/iostat.sh] interval = 60 sourcetype = iostat source = iostat # index = os disabled = 0 [script://./bin/nfsiostat.sh] interval = 60 sourcetype = nfsiostat source = nfsiostat # index = os disabled = 0 [script://./bin/ps.sh] interval = 30 sourcetype = ps source = ps # index = os disabled = 0 [script://./bin/bandwidth.sh] interval = 60 sourcetype = bandwidth source = bandwidth # index = os disabled = 0 [script://./bin/df.sh] interval = 300 sourcetype = df source = df # index = os disabled = 0 [script://./bin/cpu.sh] sourcetype = cpu source = cpu interval = 30 # index = os disabled = 0 [script://./bin/hardware.sh] sourcetype = hardware source = hardware interval = 36000 # index = os disabled = 0 [script://./bin/version.sh] disabled = false # index = os interval = 86400 source = Unix:Version sourcetype = Unix:Version</PRE> <P><SPAN><BR />The problem is, that these are inputs for event metrics and everything else is set up for metrics!<BR /><BR />In the actual Splunk_TA_nix, the inputs for metrics versions of those scripts have a different stanza, such as<BR /></SPAN></P> <PRE>cpu_metric df_metric interfaces_metric iostat_metric ps_metric vmstat_metric</PRE> <P><SPAN>If I simply change the sourcetype, it breaks the input, so by default, all those metrics based scripts output with the metric name using the _metric suffix.<BR /><BR />Unfortunately, ALL the ITSI OS module searches are looking for the un suffixed metric names, E.G. cpu, ps, vmstat!<BR /><BR />If I alter the searches to look for the updated suffixed metric names, I don't get the OS Host Information panel appearing on the entity within the deep dive or entity view.<BR /><BR />So I don't know how, under the configured&nbsp;searches, any of this will work unless heavily modified, or why the documentation points to event log collection scripts&nbsp; but the module requires metrics indexes given the use of mstats to search.<BR /><BR />What am I missing here?<BR /><BR /><BR /><BR /></SPAN></P> Wed, 19 Oct 2022 16:42:34 GMT https://community.splunk.com/t5/Splunk-ITSI/ITSI-OS-Module-documentation-issues-inputs-for-event-metrics/m-p/604396#M2543 griersoncrick 2022-10-19T16:42:34Z https://community.splunk.com/t5/Splunk-ITSI/ITSI-OS-Module-documentation-issues-inputs-for-event-metrics/m-p/617719#M2592 <P>Noticed the same issue here.&nbsp; There seems to be a discrepancy with how ITSI/IT Work does entity discovery.&nbsp; Entity types appear to rely on metric data and entity discovery modules on event data.</P> Wed, 19 Oct 2022 15:56:00 GMT https://community.splunk.com/t5/Splunk-ITSI/ITSI-OS-Module-documentation-issues-inputs-for-event-metrics/m-p/617719#M2592 jcunningham63 2022-10-19T15:56:00Z