I'm setting up monitoring for my servers and in the 'Hosts" tab for Splunk App for *nix it asks "unknown - is cpu.sh enabled?" among other .sh's.

looking at the query it tries to run, it shows:

search index=<myindex> sourcetype=cpu host=<myindex>  CPU="all" | append [stats count | eval _raw="no results" ] | eval used = 100 - pctIdle | eval name = "CPU:" | stats first(name) as name avg(used) as used sparkline(avg(used), 2m) as sl | eval used = round(used, 0) . "%" | fillnull used value="unknown - is cpu.sh enabled?" | fields sl

When running index= sourcetype=cpu host=, this is the format:

CPU    pctUser    pctNice  pctSystem  pctIowait    pctIdle
all       0.50       0.00       1.00       0.00      98.51
0         1.00       0.00       0.00       0.00      99.00
1         0.98       0.00       0.98       0.98      97.06

I can see that the stock query is not formatted in a way that likes the output of the forwarding server. Namely the CPU="all" part.
How do i set up the index/sourcetype/etc. so it can be categorized correctly? Or if i can adjust the query to regex through accordingly.