All Apps and Add-ons

Nix App netstat.sh line breaking on some servers

glitchcowboy
Path Finder

I've got the nix app running on my search head, and 300 or so nix Forwarders sending data in. On some of the forwarders, the netstat.sh output gets broken into one event per line in a search, but the others have a single event per netstat.sh run.

This is consistent whether the OS is AIX or RHEL.

Has anyone ever seen this before?

Tags (2)
0 Karma
1 Solution

glitchcowboy
Path Finder

It took me several days to find it (with the expert leading of mlanghor).

Turns out that the unix app was disabled on the indexers, so they didn't know about the props.conf settings used to parse the netstat.sh input.

The key troubleshooting tip was:

$SPLUNK_HOME/bin/splunk cmd btool props list --debug netstat

On a test indexer I built just for troubleshooting this, it returns data about the netstat props config. On my production indexer, I got a blank stare (no output).

View solution in original post

glitchcowboy
Path Finder

It took me several days to find it (with the expert leading of mlanghor).

Turns out that the unix app was disabled on the indexers, so they didn't know about the props.conf settings used to parse the netstat.sh input.

The key troubleshooting tip was:

$SPLUNK_HOME/bin/splunk cmd btool props list --debug netstat

On a test indexer I built just for troubleshooting this, it returns data about the netstat props config. On my production indexer, I got a blank stare (no output).

Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...