All Apps and Add-ons

Has anyone worked on alternatives or have a number of saved searches to replace or modify the current Splunk App for Unix and Linux?


I recently rolled out the unix app supported for version 6.1, I believe the unix app was version 5.02 or 5.03 and pretty dissappointed in it.
The current unix app only has last 15min, hour or 24 hours and not being able to change the visualizations is limiting too.
You also cant save the results to colleagues, incident managers etc...very frustrating.

For example the older unix app you could at least timechart memory by process for timeframes within our outage.

Has anyone worked on alternatives or have a number of saved searches to replace or modify it?

Right now i need some iostat searches checking for iowait values based on a 1m interval collection in the Splunk_nix_TA

 index=os host=landdb01a*  sourcetype=iostat | timechart span=1m avg(avgWaitMillis) by Device

also checking for Read/Write values with

 index=os host=ship* sourcetype=iostat  | search Device="dm-0" OR Device="dm-1" OR Device="dm-3" OR Device="dm-4" | timechart span=1m max(wKB_PS) max(rKB_PS) by Device | addtotals fieldname=read *rKB_PS* | addtotals fieldname=write *wKB_PS* | table _time  read write
0 Karma

Splunk Employee
Splunk Employee

You can certainly edit the view XML to add more time ranges - we restricted to one day so that folks didn't inadvertantly shoot themselves in the foot. Similarly, you can change the visualizations via view XML as well. And why can't you share the URL with other folks?

Because Splunk already comes with two full featured pages for analyzing data in an ad hoc fashion - search and pivot - there was no compelling reason to reinvent the wheel. Have you tried using those pages to run the searches above? The unix app comes with a bunch of saved searches in SA-nix that should help you, and similarly you can use the job inspector to take a useful search from the home or metrics view and open it in pivot or search.


Hey Araitz, I talked to you briefly bout this at Splunk i started looking through the saved searches in the app which led to a long list of macros i need to gather for the searches i need, there were quite a few.
just had not gathered all the ones i need yet.

I'll probably start using those but was hoping the community base here might have done the work for me 🙂
perhaps even an app i can provide to users here, it's surprisingly easier to get people to adopt splunk usage when the UI does everything they need.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...