Splunk App for Unix configuration *.sh not running

jonathanfeng · ‎12-04-2019

I'm setting up monitoring for my servers and in the 'Hosts" tab for Splunk App for *nix it asks "unknown - is cpu.sh enabled?" among other .sh's.

looking at the query it tries to run, it shows:

search index=<myindex> sourcetype=cpu host=<myindex>  CPU="all" | append [stats count | eval _raw="no results" ] | eval used = 100 - pctIdle | eval name = "CPU:" | stats first(name) as name avg(used) as used sparkline(avg(used), 2m) as sl | eval used = round(used, 0) . "%" | fillnull used value="unknown - is cpu.sh enabled?" | fields sl

When running index= sourcetype=cpu host=, this is the format:

CPU    pctUser    pctNice  pctSystem  pctIowait    pctIdle
all       0.50       0.00       1.00       0.00      98.51
0         1.00       0.00       0.00       0.00      99.00
1         0.98       0.00       0.98       0.98      97.06

I can see that the stock query is not formatted in a way that likes the output of the forwarding server. Namely the CPU="all" part.
How do i set up the index/sourcetype/etc. so it can be categorized correctly? Or if i can adjust the query to regex through accordingly.

louismai · ‎07-04-2020

The answer is shown in this post:

https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-and-Linux-configuration/td-...

You need to installed Splunk_TA_nix on all indexers/forwarders and searchhead.

The search head needs Splunk_TA_nix to display data.

Tks

Louis.

Splunk App for Unix configuration *.sh not running

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7