All Apps and Add-ons
Highlighted

How can I get the scripts that are found within the Splunk Add-on for Linux and UNIX to generate and send us the information?

Builder

Hey Guys,

So I'm looking into an issue; getting the scripts that are found within the Splunk Add-on for Linux and UNIX to generate and send us the information. Currently only the monitored inputs are working correctly, sending its data parsed as expected. (https://docs.splunk.com/Documentation/UnixAddOn/5.2.4/User/InstalltheSplunkAdd-onforUnixandLinux). We are using the Deployment server to distribute the SplunkTAnix application to the linux nodes.

Our Setup: Server 2012 R2 (Indexer/Deployment Server) sending the SplunkTAnix to the Red hat Linux servers, all the monitored inputs are working to send its data back and can view the source types parsed and working as expected, none of the scripts are working. Anything that looks like: [script://./bin/my_script.sh] doesn't work, Do you know why?

In my research I've found people who seem to have similar issues:
https://answers.splunk.com/answers/60060/how-to-set-automatically-executable-attribute-of-file-in-sp...
https://answers.splunk.com/answers/45408/splunk-not-showing-linux-logs.html - Permission issue was resolved in Kristian kolb's reply.
https://answers.splunk.com/answers/102439/app-for-linux-on-windows-indexer.html - Others who are confused on how to use this app when hosted on a windows box.
https://answers.splunk.com/answers/237809/why-am-i-getting-this-error-trying-to-configure-th.html

0 Karma
Highlighted

Re: How can I get the scripts that are found within the Splunk Add-on for Linux and UNIX to generate and send us the information?

New Member

By default the scripted inputs are disabled (disabled = 1). Enable the inputs that you want the add-on to monitor by setting the disabled attribute for each input stanza to 0. Be sure to do this editing under local/inputs.conf

0 Karma
Highlighted

Re: How can I get the scripts that are found within the Splunk Add-on for Linux and UNIX to generate and send us the information?

Communicator

You can troubleshoot why your scripts are not working, but it is more than likely a permissions issue if you enabled inputs in your inputs.conf and you still do not see your data. You can do this:

  • Navigate to $SPLUNKHOME/etc/apps/SplunkTA_nix/bin.

  • Run sh --debug to run the script in debug mode.

  • The debug output is saved in debug----. This file contains the command that was executed, and its output or the failure reason. Use this information to resolve the missing data issue.

Also, for what it is worth, it is NOT recommended to run a Deployment Server and an Indexer on the same server. Especially a Windows box.

0 Karma