All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Add-on for Unix and Linux: Why vmstat from the add-on running on a universal forwarder stopped showing numeric data from events, only the headers?

arkadyz1
Builder
‎03-26-2015 12:11 PM

We've recently experienced a very strange situation: vmstat from Splunk_TA_nix, running on a Splunk universal forwarder, stopped showing the numbers among the events - just the headers ("memTotalMB memFreeMB memUsedMB"...). We tried looking around in all kinds of conf files, but in the end, restarted the forwarder - and the events started coming again just fine!

Has anyone experienced such a loss of information? Since it's working for us now, I don't need an immediate action, but would like some insight into how it might have happened.

Reply

freedomson
Explorer
‎09-06-2018 12:49 PM

I had the some issue with:

  • CentOS release 6.2 (Final)
  • Unix addon version 5.2.4

After some long hours I was able to successfully forward data by changing /opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/vmstat.sh

Removed the last lines:

$CMD | tee $TEE_DEST | $AWK "$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF"  header="$HEADER"
echo "Cmd = [$CMD];  | $AWK '$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> $TEE_DEST

And replaced them by:

RESULT=$($CMD | tee $TEE_DEST | $AWK "$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF")
echo $RESULT | awk -F'pgPageOut_PS  ' '{printf "%s\n%s", $1, $2}'

And it worked!

Note:
At the moment from my investigation it seems there is some kind of timeout on script stanzas that we are not able to control in the configuration file of the universal forward.

0 Karma
Reply

ravitejaj
Explorer
‎11-27-2017 03:34 PM

I have the similar issue .. Did you get this resolution?

0 Karma
Reply

ianthompson
New Member
‎09-09-2015 01:15 AM

I have a similar problem where we are getting heads and data on different lines , although they are showing the same time stamp.

0 Karma
Reply

freedomson
Explorer
‎09-06-2018 12:56 AM

I had the some issue with:

  • CentOS release 6.2 (Final)
  • Unix addon version 5.2.4

After some long hours I was able to successfully forward data by changing /opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/vmstat.sh

Removed the last lines:

$CMD | tee $TEE_DEST | $AWK "$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF"  header="$HEADER"
echo "Cmd = [$CMD];  | $AWK '$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> $TEE_DEST

And replaced them by:

RESULT=$($CMD | tee $TEE_DEST | $AWK "$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF")
echo $RESULT | awk -F'pgPageOut_PS  ' '{printf "%s\n%s", $1, $2}'

And it worked!

Reply

malmoore
Splunk Employee
Splunk Employee
‎04-14-2015 06:18 PM

Did you take a look at any of the log files (both in Splunk and on the system) to see if there was a problem when vmstat.sh was only returning the header?

What version of *nix do you run?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...