I installed the Splunk App for Unix and Linux and the Splunk Add-on for Unix and Linux.
I've a problem with the sourcetype = netstat . The fields of these events aren't automatically extracted.
If I search (in verbose mode): "index=os sourcetype=netstat" this is the result:
As you can see the fields: "Proto Recv-Q Send-Q LocalAddress ForeignAddress State" are not extracted.
Instead, if I search (in verbose mode): "index=os sourcetype=iostat" this is the result is fine:
I know this is an answered ticket but shouldn't it be fixed in the add-on so that it's automatically available to anyone without doing any manual configuration changes?