All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for Unix and Linux coming up empty

redc
Builder
‎06-27-2014 02:49 PM

I'm in the process of setting up the Splunk App for Unix and Linux and the Splunk Add-on for Unix and Linux.

I've installed and configured the App via Splunk Web (which runs on a Windows box) using default settings. I've installed the Add-on on one of my Linux boxes and enabled all of the default inputs using default settings. I've got data flowing into the "os" index.

But...all of the App dashboards are coming up empty/"No results found."

Here's a screenshot of the Hosts dashboard, showing the information for the one Linux host I've configured:
Hosts dashboard, all info "unknown"

Using the "Process Status" as an example (since it's easy to inspect), I get:
This search has completed and found 5 matching events. However, the transforming commands in the highlighted portion of the following search:

search index=os sourcetype=top host=my-host-name | stats max(pctCPU) as pctCPU max(pctMEM) as pctMEM last(cpuTIME) as cpuTIME by COMMAND, USER | eval CMD=COMMAND | fields CMD, USER, pctCPU, pctMEM, cpuTIME

generated no results.

If I run the search command portion (excluding the stats command and everything after it), I get events that look like this (screenshot #2); I assume this format normal:
Sample event from index=os sourcetype=top host=my-host-name

Argh! So, what am I missing?

Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎06-27-2014 03:11 PM

Well I think you've found your own problem. Doesn't sound like the TA-nix is installed on your search head. Not sure how that can be? Here's the stanza from Splunk_TA_nix/default/props.conf:

 [top]
 SHOULD_LINEMERGE=false
 LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
 TRUNCATE=1000000
 DATETIME_CONFIG = CURRENT
 KV_MODE=multi

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎06-27-2014 03:11 PM

Well I think you've found your own problem. Doesn't sound like the TA-nix is installed on your search head. Not sure how that can be? Here's the stanza from Splunk_TA_nix/default/props.conf:

 [top]
 SHOULD_LINEMERGE=false
 LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
 TRUNCATE=1000000
 DATETIME_CONFIG = CURRENT
 KV_MODE=multi
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎06-27-2014 03:39 PM

See above comment - answers won't let me move it 🙂

0 Karma
Reply
Solved! Jump to solution

redc
Builder
‎06-27-2014 03:02 PM

The bottom screenshot is the data that should be filling the "Process Status" portion of the first screenshot, NOT the cpu.sh, vmstat.sh, and df.sh portions in the "Specification" and "System Status" portions. Those three inputs are also sending data to the "os" index but getting the same "transforming commands" generated no results error as above.

Yes, I performed the actions in that document, up to the alerts portion (I'm not ready yet to start alerts flowing), including deleting the auto-created "all_hosts" and "default" category/group in order to configure my own.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎06-27-2014 02:57 PM

I don't know what to tell you about the app in general, but I know what is wrong with this particular search!

index=os sourcetype=top host=my-host-name  
| multikv
| stats  max(pctCPU) as pctCPU max(pctMEM) as pctMEM last(cpuTIME) as cpuTIME by COMMAND, USER 
 | eval  CMD=COMMAND  
| fields  CMD, USER, pctCPU, pctMEM, cpuTIME

My only other suggestion is that you check the versions of the app and the add-on - there may be older and newer versions, and you should be sure to use versions of the two that work together...

There is a manual for the app at Splunk App for Linux and Unix

Reply
Solved! Jump to solution

redc
Builder
‎06-27-2014 03:25 PM

Ah-ha. I'd installed it, but it was disabled. Enabling the Splunk_TA_nix on the search head solved it.

0 Karma
Reply
Solved! Jump to solution

redc
Builder
‎06-27-2014 03:07 PM

Just for kicks, I tried this by running the search manually and it does generate output where before it doesn't. Sorry @araitz.

However, I find it odd that the app doesn't do this "out of the box" since I would expect there to always be multiple commands/users running on any given server (or at least, for that to be the case more often than not).

But is this the solution? Since I haven't seen what this dashboard should look like when it's working correctly, I'm not sure if this produces the correct results.

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎06-27-2014 03:01 PM

@lguinn - the nix TA runs KV_MODE=MULTI automatically, so running multikv explicitly is not required.

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎06-27-2014 02:55 PM

Did you follow the prompt from the home page to set up the app? Did you read through the docs on first time configuration?

http://docs.splunk.com/Documentation/UnixApp/latest/User/First-timeconfiguration

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...