All Apps and Add-ons

*Nix App not returning frequently enough

Hazel
Communicator

We use the *Nix application to pick up all the stats from our servers (cpu, ps etc) and I see in the inputs.conf that these should run at intervals such as 30 seconds for cpu. However, when I do a websearch this doesnt seem to be the case - results seem to return at random intervals. The forwarder is 97% idle so it can't be that it is too busy to return results. Is this a known issue or do you expect to see cpu events every 30 seconds?

Thanks!

1 Solution

gkanapathy
Splunk Employee
Splunk Employee

It's not completely clear to me what you mean by "websearch". Is it definitely the case that the raw data is not being generated, or is it that when you run reports over that data, you are not seeing it in the intervals you are expecting?

For example, ... | timechart avg(CPU) would adjust the intervals automatically according to the overall time range of the query. Is it possible that is what is happening?

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

It's not completely clear to me what you mean by "websearch". Is it definitely the case that the raw data is not being generated, or is it that when you run reports over that data, you are not seeing it in the intervals you are expecting?

For example, ... | timechart avg(CPU) would adjust the intervals automatically according to the overall time range of the query. Is it possible that is what is happening?

Hazel
Communicator

thankyou I will take a look and open this up again if I can't work out what is happening.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Yes, you should be able to turn up logging on the Forwarder to see whenever it runs the scripts. You would turn up the log level for "ScriptRunner". http://www.splunk.com/base/Documentation/4.1/Admin/ContactSupport#Log_levels_and_starting_in_debug_m...

0 Karma

Hazel
Communicator

To add a little more detail - I am just running searches such as index=os sourcetype=cpu host=... and I do not see the data at the intervals I would expect.

Is there a way i can check whether the issue is the forwarder or indexer side? Can i see how often the forwarder kicks off the script?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...