All Apps and Add-ons

Splunk App for Unix configuration *.sh not running

jonathanfeng
Explorer

I'm setting up monitoring for my servers and in the 'Hosts" tab for Splunk App for *nix it asks "unknown - is cpu.sh enabled?" among other .sh's.

looking at the query it tries to run, it shows:

search index=<myindex> sourcetype=cpu host=<myindex>  CPU="all" | append [stats count | eval _raw="no results" ] | eval used = 100 - pctIdle | eval name = "CPU:" | stats first(name) as name avg(used) as used sparkline(avg(used), 2m) as sl | eval used = round(used, 0) . "%" | fillnull used value="unknown - is cpu.sh enabled?" | fields sl

When running index= sourcetype=cpu host=, this is the format:

CPU    pctUser    pctNice  pctSystem  pctIowait    pctIdle
all       0.50       0.00       1.00       0.00      98.51
0         1.00       0.00       0.00       0.00      99.00
1         0.98       0.00       0.98       0.98      97.06

I can see that the stock query is not formatted in a way that likes the output of the forwarding server. Namely the CPU="all" part.
How do i set up the index/sourcetype/etc. so it can be categorized correctly? Or if i can adjust the query to regex through accordingly.

0 Karma

louismai
Path Finder

The answer is shown in this post:

https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-App-for-Unix-and-Linux-configuration/td-...

You need to installed Splunk_TA_nix on all indexers/forwarders and searchhead.

The search head needs Splunk_TA_nix to display data.

Tks

Louis.

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...