All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Unix and Linux

joewetzel63
Loves-to-Learn
‎12-19-2024 09:11 AM

Hi All,

 

I've installed the Splunk Add-on for Unix and Linux in both Splunk Enterprise as well as my forwarder which is running 9.3.2  However I keep running into this error below:

12-19-2024 15:54:30.303 +0000 ERROR ExecProcessor [1376795 ExecProcessor] - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/vmstat_metric.sh" /opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/hardware.sh: line 62: /opt/splunkforwarder/var/run/splunk/tmp/unix_hardware_error_tmpfile: No such file or directory

 

The above is coming from the splunkd.log after I have stopped and restarted the SplunkForwarder.service.  I am very new to Splunk and do not posses any certifications.  My company has tasked me with learning and configuring Splunk and I am enjoying it except I am unable to get this data sent to my indexer so that I can see the data in Search and Reporting.

 

These are the steps taken so far:

  1. Installed Splunk Add-on for Unix and Linux on my enterprise UI machine
  2. installed Splunk Add-on for Unix and Linux on my unvf
  3. As the local directory was not created at "/opt/splunkforwarder/etc/apps/Splunk_TA_nix/" I created it and copied the inputs.conf from default to local and then allowed the scripts I wanted.
  4. Made sure the Splunk user was owner and had the privileges needed to the local directory
  5. stopped the splunk service and restarted it.
  6. Ran -  cat /opt/splunkforwarder/var/log/splunk/splunkd.log | grep ERROR
  7. Almost every Error is "unix_hardware_error_tmpfile: No such file or directory"
  8. if I create the tmpfile it disappears and is not recreated

I'm sure there are many other things I didnt mention because I honestly dont remember because I have been trying to figure this issue out since yesterday and am not getting anywhere. 

PLEASE HELP!

Labels (3)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎12-20-2024 11:43 AM

Hi @joewetzel63,

In the error message it complains about "/opt/splunkforwarder/var/run/splunk/tmp/unix_hardware_error_tmpfile" file. This tmp folder does not exist on default, that is why it cannot create unix_hardware_error_tmpfile file. You can try creating /opt/splunkforwarder/var/run/splunk/tmp folder.

When I checked the addon (v9.2.0) it uses correct path as "$SPLUNK_HOME/var/run/splunk/unix_hardware_error_tmpfile". 

Can you confirm and try using the latest version of the addn? 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

jw220635
Engager
‎07-04-2025 09:22 AM

After recently upgrading the Splunk_TA_nix to version 9.2.0, I'm seeing the same issue.  Has anyone fixed this issue?

0 Karma
Reply

christinetran
Engager
2 weeks ago

I think it's because hardware.sh is called by both vmware.sh and vmware_metric.sh, and hardware.sh has an rm $TMP_ERROR_FILTER_FILE statement just below the grep statement (where the error is generated.)

If you are running both vmware.sh and vmware_metric.sh at the same periodicity (for example 60 seconds), it's a race condition when both scripts invoke hardware.sh which has an "rm", which would remove the file before the second script get to that line of execution (the grep).  If you look at your error log, the error is logged against vmware.sh or vmware_metric.sh, but not both.  I ran into this issue, and I added a few seconds offset, for example, run vmware.sh at 60 seconds interval and vmware_metric.sh at 65 seconds interval, to eliminate the race condition.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

This calls for a bug report, don't you think? It's a very bad practice if a script relies on a statically named file.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...