All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Unix and Linux: Why vmstat from the add-on running on a universal forwarder stopped showing numeric data from events, only the headers?

arkadyz1
Builder
‎03-26-2015 12:11 PM

We've recently experienced a very strange situation: vmstat from Splunk_TA_nix, running on a Splunk universal forwarder, stopped showing the numbers among the events - just the headers ("memTotalMB memFreeMB memUsedMB"...). We tried looking around in all kinds of conf files, but in the end, restarted the forwarder - and the events started coming again just fine!

Has anyone experienced such a loss of information? Since it's working for us now, I don't need an immediate action, but would like some insight into how it might have happened.

Reply

freedomson
Explorer
‎09-06-2018 12:49 PM

I had the some issue with:

  • CentOS release 6.2 (Final)
  • Unix addon version 5.2.4

After some long hours I was able to successfully forward data by changing /opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/vmstat.sh

Removed the last lines:

$CMD | tee $TEE_DEST | $AWK "$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF"  header="$HEADER"
echo "Cmd = [$CMD];  | $AWK '$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> $TEE_DEST

And replaced them by:

RESULT=$($CMD | tee $TEE_DEST | $AWK "$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF")
echo $RESULT | awk -F'pgPageOut_PS  ' '{printf "%s\n%s", $1, $2}'

And it worked!

Note:
At the moment from my investigation it seems there is some kind of timeout on script stanzas that we are not able to control in the configuration file of the universal forward.

0 Karma
Reply

ravitejaj
Explorer
‎11-27-2017 03:34 PM

I have the similar issue .. Did you get this resolution?

0 Karma
Reply

ianthompson
New Member
‎09-09-2015 01:15 AM

I have a similar problem where we are getting heads and data on different lines , although they are showing the same time stamp.

0 Karma
Reply

freedomson
Explorer
‎09-06-2018 12:56 AM

I had the some issue with:

  • CentOS release 6.2 (Final)
  • Unix addon version 5.2.4

After some long hours I was able to successfully forward data by changing /opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/vmstat.sh

Removed the last lines:

$CMD | tee $TEE_DEST | $AWK "$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF"  header="$HEADER"
echo "Cmd = [$CMD];  | $AWK '$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> $TEE_DEST

And replaced them by:

RESULT=$($CMD | tee $TEE_DEST | $AWK "$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF")
echo $RESULT | awk -F'pgPageOut_PS  ' '{printf "%s\n%s", $1, $2}'

And it worked!

Reply

malmoore
Splunk Employee
Splunk Employee
‎04-14-2015 06:18 PM

Did you take a look at any of the log files (both in Splunk and on the system) to see if there was a problem when vmstat.sh was only returning the header?

What version of *nix do you run?

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...