All Apps and Add-ons
Highlighted

Splunk App For Unix and Linux not detecting logs

Explorer

I have installed the universal forwarder on a Linux machine and am receiving logs from /var/log on that machine in my Splunk receiver. I can actively search those logs and can see them coming via Splunk, however, when I open the Splunk App for *Nix it says there are no hosts and no data can be found. How do I configure my receiver to recognize machines as *NIX and populate the app with the proper data?

Highlighted

Re: Splunk App For Unix and Linux not detecting logs

Splunk Employee
Splunk Employee

What index are you using? Have you set the unix app to search that index?

0 Karma
Highlighted

Re: Splunk App For Unix and Linux not detecting logs

Splunk Employee
Splunk Employee

did you install sysstat?

0 Karma
Highlighted

Re: Splunk App For Unix and Linux not detecting logs

Explorer

I have it set up to index=os and index=main

I'm also having a problem bringing in local files via /proc/cpuinfo in that it won't let me merge it with the file cpu

0 Karma
Highlighted

Re: Splunk App For Unix and Linux not detecting logs

Splunk Employee
Splunk Employee

When you use the preview buttons on the setup page, do you get the data you expect?

"I'm also having a problem bringing in local files via /proc/cpuinfo in that it won't let me merge it with the file cpu" -- I'm sorry, I don't know what you mean by that. Have you setup the inputs with the TA's setup page?

0 Karma
Highlighted

Re: Splunk App For Unix and Linux not detecting logs

Explorer

When I hit preview, I do see the data I expect.

With regards to the /proc/cpuinfo. I am trying to bring in data for cpu but it does not allow me to do so. Currently the cpu data is set to sourcetype=cpu however, I can not merge the logs from /proc/cpuinfo to the type cpu, it does not provide that as an option. Furthermore, if I create a new data type and set the cpu info to sourcetype=cpuinfo and hit preview, it provides nothing.

0 Karma
Highlighted

Re: Splunk App For Unix and Linux not detecting logs

Splunk Employee
Splunk Employee

in categories, you should have an "all hosts" or something -- is there anything configured there?

Have you enabled the hardware.sh input? cpu.sh is for performance metrics data.

0 Karma
Highlighted

Re: Splunk App For Unix and Linux not detecting logs

Explorer

I have "all hosts" There is nothing else configured there.

hardware.sh and cpu.sh are both enabled. Still no data.

0 Karma
Highlighted

Re: Splunk App For Unix and Linux not detecting logs

Builder

Fyi, I am having a very similar problem. Unfortunately, there isn't a solution in this thread. Does anyone have any other suggestions? Thanks!

0 Karma
Highlighted

Re: Splunk App For Unix and Linux not detecting logs

Splunk Employee
Splunk Employee

I've asked about everything along the data -> input -> index -> macro -> group chain and been assured it's all fine... I'm at a loss. The next troubleshooting step would be to inpsect the searches from the source of the dashboard that's not showing what you expect.

0 Karma