All Apps and Add-ons

Splunk App For Unix and Linux not detecting logs

Montejam2
Explorer

I have installed the universal forwarder on a Linux machine and am receiving logs from /var/log on that machine in my Splunk receiver. I can actively search those logs and can see them coming via Splunk, however, when I open the Splunk App for *Nix it says there are no hosts and no data can be found. How do I configure my receiver to recognize machines as *NIX and populate the app with the proper data?

Montejam2
Explorer

I have it set up to index=os and index=main

I'm also having a problem bringing in local files via /proc/cpuinfo in that it won't let me merge it with the file cpu

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

I've asked about everything along the data -> input -> index -> macro -> group chain and been assured it's all fine... I'm at a loss. The next troubleshooting step would be to inpsect the searches from the source of the dashboard that's not showing what you expect.

0 Karma

Branden
Builder

Fyi, I am having a very similar problem. Unfortunately, there isn't a solution in this thread. Does anyone have any other suggestions? Thanks!

0 Karma

Montejam2
Explorer

I have "all hosts" There is nothing else configured there.

hardware.sh and cpu.sh are both enabled. Still no data.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

in categories, you should have an "all hosts" or something -- is there anything configured there?

Have you enabled the hardware.sh input? cpu.sh is for performance metrics data.

0 Karma

Montejam2
Explorer

When I hit preview, I do see the data I expect.

With regards to the /proc/cpuinfo. I am trying to bring in data for cpu but it does not allow me to do so. Currently the cpu data is set to sourcetype=cpu however, I can not merge the logs from /proc/cpuinfo to the type cpu, it does not provide that as an option. Furthermore, if I create a new data type and set the cpu info to sourcetype=cpuinfo and hit preview, it provides nothing.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

When you use the preview buttons on the setup page, do you get the data you expect?

"I'm also having a problem bringing in local files via /proc/cpuinfo in that it won't let me merge it with the file cpu" -- I'm sorry, I don't know what you mean by that. Have you setup the inputs with the TA's setup page?

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

What index are you using? Have you set the unix app to search that index?

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

did you install sysstat?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...