- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Splunk Add-On for Unix and Linux - UF doesn't ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
the initial situation is the following: I have an all-in-one instance, that simultaneously takes on the role of the DS, and a UF that sends its data to the AiO. The required stanzas were distributed as a separate app, in addition to the Linux TA via the DS. Scripted inputs from the TA like "vmstat.sh" or "netstat.sh" can be browsed on the AiO and work so far.
In the next step I wanted to activate the "cpu_metric.sh" stanza and proceeded like this:
1. I created a metric index on the AiO, called "linux_metrics".
2. I configured the inputs.conf under the "deployment-apps" on the AiO and enabled the stanza. This config was pushed to the UF, or rather it was pulled by the UF.
Config:
[script:///opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/cpu_metric.sh]
interval = 30
disabled = 0
index = linux_metrics
Unfortunately, however, no data ran into my metric index. "For fun" I tried the same procedure for other metric stanzas, which then immediately passed their data to the dedicated indexer.
Standard solutions, like installing sysstat, have already been tried.
Maybe one of you can think of something else. Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gcusello, thanks for your quick response!
I tried your solution, but unfortunately it did not solve the problem either.
But I wanted to dig a little depper, so I started "cpu_metric.sh" and "cpu.sh" manually to check if they both work. Since they returned the same values, in the same format, I had the idea that "cpu_metric.sh" might not return metric data at all. I then created a dedicated event indexer and specified that for the stanza. Immediately the UF sent data concerning the stanza "cpu_metric.sh" to this indexer.
Short summary: It seems to work fine with an event indexer and "cpu_metric.sh" apparently doesn't send metric data.
But thanks again for your help 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI @Henri,
have you in the other index logs from cpu_metric.sh?
did you tried to delete (or comment) the cpu_metric.sh stanza in inputs.conf in both local and default folder of the TA_nix App, leaving only the input of the additional Add-On?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gcusello, thanks for your quick response!
I tried your solution, but unfortunately it did not solve the problem either.
But I wanted to dig a little depper, so I started "cpu_metric.sh" and "cpu.sh" manually to check if they both work. Since they returned the same values, in the same format, I had the idea that "cpu_metric.sh" might not return metric data at all. I then created a dedicated event indexer and specified that for the stanza. Immediately the UF sent data concerning the stanza "cpu_metric.sh" to this indexer.
Short summary: It seems to work fine with an event indexer and "cpu_metric.sh" apparently doesn't send metric data.
But thanks again for your help 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
