All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk App and Add-on for Unix and Linux –– add-on specific fields are not being extracted, which is breaking the dashboards

chris_jepeway
New Member
‎09-26-2017 10:32 AM

I've got the Splunk Add-on for Unix and Linux installed on my index master and across my 3 indexers via a cluster bundle.

In the App for Unix & Linux running on my search head, I can see results from all 4 hosts, text like the output from cpu.sh and ps.sh.

But none of the add-on specific fields, e.g., pctCPU from top.sh, are being extracted, which of course breaks many of the associated dashboards.

Any help on getting the app & add-ons working, and in particular, fixing field extraction, across the cluster would be very much appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎09-27-2017 02:19 AM

Hi @chris.jepeway,

To achieve this field extraction on search head you need to install Splunk Add-on for Unix and Linux (Splunk_TA_nix) on search head because field extraction (props.conf) and field transformation (transforms.conf) is available in Add-on to break those fields not in App.

Thanks,
Harshil

View solution in original post

Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎09-27-2017 02:19 AM

Hi @chris.jepeway,

To achieve this field extraction on search head you need to install Splunk Add-on for Unix and Linux (Splunk_TA_nix) on search head because field extraction (props.conf) and field transformation (transforms.conf) is available in Add-on to break those fields not in App.

Thanks,
Harshil

Reply
Solved! Jump to solution

chris_jepeway
New Member
‎09-27-2017 02:48 PM

Ah, perfect, it works!

Um, what did I miss when I didn't understand I needed the TA as well as the app? Is that the usual case, e.g.? That I'll need to install a TA as well as an app, whenever both exist, on search heads? Or is this a special case for the Nix app & TA?

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎09-27-2017 09:13 PM

This depends on case by case, for some of the application you require TA and app both on search heads and for some of the application only app is require.

0 Karma
Reply
Solved! Jump to solution

chris_jepeway
New Member
‎09-26-2017 02:52 PM

And, it's worth pointing out that I'm trying to work through installing the app by using tar to extract the tarball into $SPLUNK_HOME/etc/{apps,master-apps} myself, and then copying configs out of default/ and into /local. I've set up inputs.conf (change to disabled = 0) and indexes.conf (add repFactor = auto)...but it seems I'm missing some setup.

I'll try an "install from file" and see what I get.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...