All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk App for Unix - No data in dashboard

Daerzk
Explorer
‎03-28-2021 11:01 PM

I have installed (several times) the Splunk App for Unix (*nix) Version 6.0.1. I have changed the default index in the settings to use the index=main by editing the related search Macro. I have configured the SUFs 'downstream' to send data to the main index and I can see all the data arriving in the index as expected.  Note this is installed on a Splunk dedicated single instance running version 8.1.3 (Enterprise On-Premises)

In the settings section of the App, I can see the correct index is specified (main) and clicking on the various Preview button options returns valid data. See below for examples:

Index Specification, and verify "Preview " selections:

Daerzk_0-1616996974470.png

CPU data preview:

Daerzk_2-1616997223073.png

 

DF Data Preview:

Daerzk_3-1616997311022.png

 

Suffice it to say that all the other Preview buttons also return valid data. This would imply that the data is correctly configured and the applicaiton should be able to consume it.

However, when I try and look at the dashboards of the app, they all remain free of any data, as can be seen from the screen captures below:

Daerzk_4-1616997510400.png

Daerzk_5-1616997646819.png

 

I am kinda out of ideas. Anyone got anything?

Cheers

Chris 

 

Labels (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

96nick
Communicator
‎03-29-2021 02:07 PM

The add-on shouldn't be used graphically on the Windows instance. The add-on's main purpose is to extract fields so that your App shows data in the dashboards. So ideally you would have the following set up:

Linux Boxes: Add-on for Unix

Windows Box: App for Unix, Add-on for Unix

Data will send from the Linux boxes (with inputs turned on which you have) to the Windows box. You may need to restart the Windows box, but it *should* populate the dashboards if the addon is present on the Windows box. 

It is essentially the process that malmoore lays out in this post:

https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-configure-the-Splunk-App-for-Unix-and-Li...

 

Let me know if you get any further! 

 

View solution in original post

Reply
Solved! Jump to solution

96nick
Communicator
‎03-29-2021 08:24 AM

Chris,

Is the addon installed on the instance as well and not just on the forwarder(s)? This seems similar to the linked Community post below yet not exactly.

Post: https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-the-Splunk-App-for-Unix-and-Linux-not-di...

 

Hope that helped! 

Reply
Solved! Jump to solution

Daerzk
Explorer
‎03-29-2021 12:29 PM

I have the Splunk TA for Linux deployed to my two test servers and their conmfiguration is what is sending the data through to the main index:

Daerzk_0-1617046121370.png

 

I had to manually change the permissions on the .sh and .py files due to my deployment server being a Windows box, but they are both sending all the expected telemetry from the SUF  and TA to the main index.

...I had assumed, as the indexer was Windows, that it would not need the TA, but I will try that next - thanks! 

0 Karma
Reply
Solved! Jump to solution

Daerzk
Explorer
‎03-29-2021 01:50 PM

Looks like the indexer might have to be a Linux box too - annoying!

Daerzk_0-1617051042755.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

96nick
Communicator
‎03-29-2021 02:07 PM

The add-on shouldn't be used graphically on the Windows instance. The add-on's main purpose is to extract fields so that your App shows data in the dashboards. So ideally you would have the following set up:

Linux Boxes: Add-on for Unix

Windows Box: App for Unix, Add-on for Unix

Data will send from the Linux boxes (with inputs turned on which you have) to the Windows box. You may need to restart the Windows box, but it *should* populate the dashboards if the addon is present on the Windows box. 

It is essentially the process that malmoore lays out in this post:

https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-configure-the-Splunk-App-for-Unix-and-Li...

 

Let me know if you get any further! 

 

Reply
Solved! Jump to solution

Daerzk
Explorer
‎03-30-2021 12:51 AM

Victory: you are a STAR

Daerzk_0-1617090686344.png

 

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-29-2021 06:15 AM

See the app troubleshooting guide at https://docs.splunk.com/Documentation/UnixApp/6.0.0/User/TroubleshoottheSplunkAppforUnixandLinux

If that doesn't help then open a Splunk support request.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Daerzk
Explorer
‎03-29-2021 01:46 PM

Alas, I am but a humble tinkerer and dol not have paid support options! 😞

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...