All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Has anyone worked on alternatives or have a number of saved searches to replace or modify the current Splunk App for Unix and Linux?

sonicZ
Contributor
‎11-13-2014 11:39 AM

I recently rolled out the unix app supported for version 6.1, I believe the unix app was version 5.02 or 5.03 and pretty dissappointed in it.
The current unix app only has last 15min, hour or 24 hours and not being able to change the visualizations is limiting too.
You also cant save the results to colleagues, incident managers etc...very frustrating.

For example the older unix app you could at least timechart memory by process for timeframes within our outage.

Has anyone worked on alternatives or have a number of saved searches to replace or modify it?

Right now i need some iostat searches checking for iowait values based on a 1m interval collection in the Splunk_nix_TA

 index=os host=landdb01a*  sourcetype=iostat | timechart span=1m avg(avgWaitMillis) by Device

also checking for Read/Write values with

 index=os host=ship* sourcetype=iostat  | search Device="dm-0" OR Device="dm-1" OR Device="dm-3" OR Device="dm-4" | timechart span=1m max(wKB_PS) max(rKB_PS) by Device | addtotals fieldname=read *rKB_PS* | addtotals fieldname=write *wKB_PS* | table _time  read write
0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎11-13-2014 01:40 PM

You can certainly edit the view XML to add more time ranges - we restricted to one day so that folks didn't inadvertantly shoot themselves in the foot. Similarly, you can change the visualizations via view XML as well. And why can't you share the URL with other folks?

Because Splunk already comes with two full featured pages for analyzing data in an ad hoc fashion - search and pivot - there was no compelling reason to reinvent the wheel. Have you tried using those pages to run the searches above? The unix app comes with a bunch of saved searches in SA-nix that should help you, and similarly you can use the job inspector to take a useful search from the home or metrics view and open it in pivot or search.

Reply

sonicZ
Contributor
‎11-13-2014 02:31 PM

Hey Araitz, I talked to you briefly bout this at Splunk conf...so i started looking through the saved searches in the app which led to a long list of macros i need to gather for the searches i need, there were quite a few.
just had not gathered all the ones i need yet.

I'll probably start using those but was hoping the community base here might have done the work for me 🙂
perhaps even an app i can provide to users here, it's surprisingly easier to get people to adopt splunk usage when the UI does everything they need.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...