All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk App for Unix and Linux: Why are fields not being properly extracted from Solaris machines resulting in incorrect data?

splunker9999
Path Finder
‎12-02-2016 09:19 AM

Hi , We have configured Splunk App for Unix and Linux to all our hosts and we're facing a weird issue.

This app is working fine on all our Linux and HP UX boxes, but on Solaris boxes vmstat is not working as expected.

Issues:
On Linux or HP UX , fields are extracted properly and see data. But for Solaris, fields are not extracted properly and we see incorrect data.

Below is sample log file

memTotalMB   memFreeMB   memUsedMB  memFreePct  memUsedPct   pgPageOut  swapUsedPct   pgSwapOut   cSwitches  interrupts       forks   processes     threads  loadAvg1mi
     16384      439337     -422953      2681.5     -2581.5          77         36.4           0  13949520474  10370043883    20143325         123         727        0.31

memUsedPct and memFreePct values are incorrect values and this should be same for all the other values.

Can someone please suggest on this?

Below is Python script which is calling this data:

"x$KERNEL" = "xSunOS" ] ; then
        assertHaveCommand vmstat
        assertHaveCommandGivenPath /usr/sbin/swap
        assertHaveCommandGivenPath /usr/sbin/prtconf
        assertHaveCommand prstat
        if [ $SOLARIS_8 -o $SOLARIS_9 ] ; then
                CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat    1 1 ; vmstat -s ; prstat -n 1 1 1'
        else
                CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat -q 1 1 ; vmstat -s ; prstat -n 1 1 1'
        fi
        PARSE_0='/^Memory size:/ {memTotalMB=$3} (NR==5) {memFreeMB=$5 / 1024}'
        PARSE_1='(NR==2) {swapUsed=0+$(NF-3); swapFree=0+$(NF-1)}'
        PARSE_2='/pages paged out$/ {pgPageOut=$1} /pages swapped out$/ {pgSwapOut=$1}'
        PARSE_3='/cpu context switches$/ {cSwitches=$1} /device interrupts$/ {interrupts=$1} / v?forks$/ {forks+=$1}'
        PARSE_4='/^Total: / {processes=$2; threads=$4; loadAvg1mi=0+$(NF-2)}'
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎12-04-2016 05:03 AM

Since I don't see where the script is creating these fields it makes me think there is more to the script or the fields in question are evaluated.

You can probably fix this using the props.conf in the apps local directory to evaluate the same field names.

 [sourcetypeName]
 EVAL-memUsedPct= memUsedMB/memTotalMB*100
 EVAL-memFreePct= memFreeMB/memTotalMB*100
0 Karma
Reply

splunker9999
Path Finder
‎12-09-2016 10:05 AM

Added below lines, but this is not solving the problem.. Still I could see events in the same forat.

I believe above lines are already added to script.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...