All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk App for Unix and Linux: Why are fields not being properly extracted from Solaris machines resulting in incorrect data?

splunker9999
Path Finder
‎12-02-2016 09:19 AM

Hi , We have configured Splunk App for Unix and Linux to all our hosts and we're facing a weird issue.

This app is working fine on all our Linux and HP UX boxes, but on Solaris boxes vmstat is not working as expected.

Issues:
On Linux or HP UX , fields are extracted properly and see data. But for Solaris, fields are not extracted properly and we see incorrect data.

Below is sample log file

memTotalMB   memFreeMB   memUsedMB  memFreePct  memUsedPct   pgPageOut  swapUsedPct   pgSwapOut   cSwitches  interrupts       forks   processes     threads  loadAvg1mi
     16384      439337     -422953      2681.5     -2581.5          77         36.4           0  13949520474  10370043883    20143325         123         727        0.31

memUsedPct and memFreePct values are incorrect values and this should be same for all the other values.

Can someone please suggest on this?

Below is Python script which is calling this data:

"x$KERNEL" = "xSunOS" ] ; then
        assertHaveCommand vmstat
        assertHaveCommandGivenPath /usr/sbin/swap
        assertHaveCommandGivenPath /usr/sbin/prtconf
        assertHaveCommand prstat
        if [ $SOLARIS_8 -o $SOLARIS_9 ] ; then
                CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat    1 1 ; vmstat -s ; prstat -n 1 1 1'
        else
                CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat -q 1 1 ; vmstat -s ; prstat -n 1 1 1'
        fi
        PARSE_0='/^Memory size:/ {memTotalMB=$3} (NR==5) {memFreeMB=$5 / 1024}'
        PARSE_1='(NR==2) {swapUsed=0+$(NF-3); swapFree=0+$(NF-1)}'
        PARSE_2='/pages paged out$/ {pgPageOut=$1} /pages swapped out$/ {pgSwapOut=$1}'
        PARSE_3='/cpu context switches$/ {cSwitches=$1} /device interrupts$/ {interrupts=$1} / v?forks$/ {forks+=$1}'
        PARSE_4='/^Total: / {processes=$2; threads=$4; loadAvg1mi=0+$(NF-2)}'
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎12-04-2016 05:03 AM

Since I don't see where the script is creating these fields it makes me think there is more to the script or the fields in question are evaluated.

You can probably fix this using the props.conf in the apps local directory to evaluate the same field names.

 [sourcetypeName]
 EVAL-memUsedPct= memUsedMB/memTotalMB*100
 EVAL-memFreePct= memFreeMB/memTotalMB*100
0 Karma
Reply

splunker9999
Path Finder
‎12-09-2016 10:05 AM

Added below lines, but this is not solving the problem.. Still I could see events in the same forat.

I believe above lines are already added to script.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...