I recently rolled out the unix app supported for version 6.1, I believe the unix app was version 5.02 or 5.03 and pretty dissappointed in it.
The current unix app only has last 15min, hour or 24 hours and not being able to change the visualizations is limiting too.
You also cant save the results to colleagues, incident managers etc...very frustrating.
For example the older unix app you could at least timechart memory by process for timeframes within our outage.
Has anyone worked on alternatives or have a number of saved searches to replace or modify it?
Right now i need some iostat searches checking for iowait values based on a 1m interval collection in the Splunk_nix_TA
index=os host=landdb01a* sourcetype=iostat | timechart span=1m avg(avgWaitMillis) by Device
also checking for Read/Write values with
index=os host=ship* sourcetype=iostat | search Device="dm-0" OR Device="dm-1" OR Device="dm-3" OR Device="dm-4" | timechart span=1m max(wKB_PS) max(rKB_PS) by Device | addtotals fieldname=read *rKB_PS* | addtotals fieldname=write *wKB_PS* | table _time read write
You can certainly edit the view XML to add more time ranges - we restricted to one day so that folks didn't inadvertantly shoot themselves in the foot. Similarly, you can change the visualizations via view XML as well. And why can't you share the URL with other folks?
Because Splunk already comes with two full featured pages for analyzing data in an ad hoc fashion - search and pivot - there was no compelling reason to reinvent the wheel. Have you tried using those pages to run the searches above? The unix app comes with a bunch of saved searches in SA-nix that should help you, and similarly you can use the job inspector to take a useful search from the home or metrics view and open it in pivot or search.
Hey Araitz, I talked to you briefly bout this at Splunk conf...so i started looking through the saved searches in the app which led to a long list of macros i need to gather for the searches i need, there were quite a few.
just had not gathered all the ones i need yet.
I'll probably start using those but was hoping the community base here might have done the work for me 🙂
perhaps even an app i can provide to users here, it's surprisingly easier to get people to adopt splunk usage when the UI does everything they need.