All Apps and Add-ons

Splunk App for Unix not reporting any data hosts tab

4myexperiment
Explorer

Splunk indexer (version 6.3.0) is installed and forwarder(6.2.1) is configured, can search for data with query index=os sourcetype="cpu" under search tab of Splunk App for Unix app. However under host tab it is mentioned as "unknown - is cpu.sh enabled?" and no data available. The app is in enabled status under manage app tab. Did anyone face this issue, please share your comments.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Sounds like you might be peeking at the Data Summary button on a blank Search screen.

If I remember correctly, that is going to show details on the indexes your ID searches by default. Since you likely need to put index=os into a search to get that data, it won't appear on that table.

You can workaround this though, that table just runs the metadata command, so you could take a step into your Splunk Ninja training by trying your hand at:

| metadata index=* type=sourcetypes

Learn more at Search Reference: metadata

0 Karma

adonio
Ultra Champion

can you share the inputs.conf under the nix TA? is the cpu.sh enabled on the forwarder?

0 Karma

4myexperiment
Explorer

inputs.conf part represent as follow

Shows stats per CPU (useful for SMP machines)

[script://./bin/cpu.sh]
sourcetype = cpu
source = cpu
interval = 30
index = os
disabled = 0

Also i found that the cpu.sh is enabled on the forwarder

*** Splunk> nix command-line setup > SHOW INPUT STATUS **

Scripted Inputs:

0) /$SPLUNK_HOME/splunkforwarder/etc/apps/Splunk_TA_nix/bin/bandwidth.sh
enabled: *** disabled: interval: 60
1) /$SPLUNK_HOME/splunkforwarder/etc/apps/Splunk_TA_nix/bin/cpu.sh
enabled: *** disabled: interval: 30

Under the host tab the data is not only showing for cpu.sh but also for other informations like df,vmstat etc....but to my wonder if i query directly ex: index=os and sourcetypr=df or vmstat, under the search tab all data is available to the latest from all of the hosts. Hence i believe the data is received at the indexer but not processed by the app. Can it be the case?

0 Karma

adonio
Ultra Champion

if you see the data, then this might be the case, look for permission of saerching indexes by default.
many times, apps use sourcetypes as search without indicating an index. if the os index is not searched by default, the panel will not populate.
go to settings -> access controls -> roles -> your role -> scroll down -> add os index to indexes searched by default

0 Karma

4myexperiment
Explorer

Thanks for your efforts and information,for sure i can verify your suggestion.

By the way, i am finding some errors printed n splunkd.log in the splunk indexer instance which mentions about the time parsing. After installing splunk app for unix should there be any time parsing configuration need to be done for the inputs received?

The errors are printed as follows:

04-26-2017 00:36:01.682 +0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Mon Aug 8 00:13:09 2016). Context: source::ps|host::XXXXXX|ps|24272
04-26-2017 00:37:01.523 +0400 WARN DateParserVerbose - Accepted time (Thu Oct 27 17:33:59 2016) is suspiciously far away from the previous event's time (Tue Apr 25 16:16:42 2017), but still accepted because it was extracted by the same pattern. Context: source::lastlog|host::XXXXXX|lastlog|24275\n 315 similar messages suppressed. First occurred at: Wed Apr 26 00:31:31 2017
04-26-2017 00:37:01.523 +0400 WARN DateParserVerbose - Accepted time (Sun Feb 26 18:20:27 2017) is suspiciously far away from the previous event's time (Mon Sep 28 12:43:48 2015), but still accepted because it was extracted by the same pattern. Context: source::lastlog|host::XXXXXX1|lastlog|24275

can there be any case that the data cannot be pulled and displayed in app dashboard if time parsing is failing?

0 Karma

adonio
Ultra Champion

please check this doc about sysstat and troubleshooting here:
http://docs.splunk.com/Documentation/UnixApp/5.2.2/User/TroubleshoottheSplunkAppforUnixandLinux

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...