I have installed the universal forwarder on a Linux machine and am receiving logs from /var/log on that machine in my Splunk receiver. I can actively search those logs and can see them coming via Splunk, however, when I open the Splunk App for *Nix it says there are no hosts and no data can be found. How do I configure my receiver to recognize machines as *NIX and populate the app with the proper data?
I have it set up to index=os and index=main
I'm also having a problem bringing in local files via /proc/cpuinfo in that it won't let me merge it with the file cpu
I've asked about everything along the data -> input -> index -> macro -> group chain and been assured it's all fine... I'm at a loss. The next troubleshooting step would be to inpsect the searches from the source of the dashboard that's not showing what you expect.
Fyi, I am having a very similar problem. Unfortunately, there isn't a solution in this thread. Does anyone have any other suggestions? Thanks!
I have "all hosts" There is nothing else configured there.
hardware.sh and cpu.sh are both enabled. Still no data.
in categories, you should have an "all hosts" or something -- is there anything configured there?
Have you enabled the hardware.sh input? cpu.sh is for performance metrics data.
When I hit preview, I do see the data I expect.
With regards to the /proc/cpuinfo. I am trying to bring in data for cpu but it does not allow me to do so. Currently the cpu data is set to sourcetype=cpu however, I can not merge the logs from /proc/cpuinfo to the type cpu, it does not provide that as an option. Furthermore, if I create a new data type and set the cpu info to sourcetype=cpuinfo and hit preview, it provides nothing.
When you use the preview buttons on the setup page, do you get the data you expect?
"I'm also having a problem bringing in local files via /proc/cpuinfo in that it won't let me merge it with the file cpu" -- I'm sorry, I don't know what you mean by that. Have you setup the inputs with the TA's setup page?
What index are you using? Have you set the unix app to search that index?
did you install sysstat?