I have installed the universal forwarder on a Linux machine and am receiving logs from /var/log on that machine in my Splunk receiver. I can actively search those logs and can see them coming via Splunk, however, when I open the Splunk App for *Nix it says there are no hosts and no data can be found. How do I configure my receiver to recognize machines as *NIX and populate the app with the proper data?
I have it set up to index=os and index=main
I'm also having a problem bringing in local files via /proc/cpuinfo in that it won't let me merge it with the file cpu
When you use the preview buttons on the setup page, do you get the data you expect?
"I'm also having a problem bringing in local files via /proc/cpuinfo in that it won't let me merge it with the file cpu" -- I'm sorry, I don't know what you mean by that. Have you setup the inputs with the TA's setup page?
When I hit preview, I do see the data I expect.
With regards to the /proc/cpuinfo. I am trying to bring in data for cpu but it does not allow me to do so. Currently the cpu data is set to sourcetype=cpu however, I can not merge the logs from /proc/cpuinfo to the type cpu, it does not provide that as an option. Furthermore, if I create a new data type and set the cpu info to sourcetype=cpuinfo and hit preview, it provides nothing.
in categories, you should have an "all hosts" or something -- is there anything configured there?
Have you enabled the hardware.sh input? cpu.sh is for performance metrics data.
Fyi, I am having a very similar problem. Unfortunately, there isn't a solution in this thread. Does anyone have any other suggestions? Thanks!
I've asked about everything along the data -> input -> index -> macro -> group chain and been assured it's all fine... I'm at a loss. The next troubleshooting step would be to inpsect the searches from the source of the dashboard that's not showing what you expect.