All Apps and Add-ons

Splunk add-on for unix and linux detailed list of collected data


Is there a detailed list of collected data that Splunk add-on for unix and linux collects?
I found this: documentation but it is not so detailed.
For example what does means TCPrexmits (sourcetype=protocol)?
Is this Add-on collect also how many packets have been retransmitted?


0 Karma

Splunk Employee
Splunk Employee

No, there is no other documentation available for the details of the data collected by the unix and linux add-on.

Meaning of each field for the sourcetype protocol is as below

  • IPdropped - Outgoing packets dropped
  • TCPrexmits - Segments retransmitted
  • TCPreorder - Detected reordering
  • TCPpktRecv - Segments received
  • TCPpktSent - Segments send out
  • UDPpktLost - UDP Packet receive errors
  • UDPunkPort - UDP Packets to unknown port received
  • UDPpktRecv - UDP Packets received
  • UDPpktSent - UDP Packets Sent

If you want to understand the meaning of fields for other sourcetypes, like SloshBurch said you will have to understand the script of that sourcetype.

And for the data collection of the packets re-transmitted, as per my knowledge only TCPrexmits field of sourcetype protocol contains that data.

Splunk Employee
Splunk Employee

(What follows is an incomplete answer)

No such detailed list appears to exist. Here's some advise that can help, but you'll see why it is incomplete soon enough.

Based on the banner messages in the link you shared, I suggest this page instead Splunk Add-on for Unix and Linux and Source types for the Splunk Add-on for Unix and Linux

The way I would answer your question is to look at what unix command is being used for that sourcetype and check that unix command's man page for the elaboration on what the field represents.

Annoyingly, in the example you provided, it appears the TCPrexmits is a row header produced by the and not actually defined within the unix command. I can't tell from the script what that field name is meant to represent. As such, this is something I'm discussing with folks internally....but no promises.

0 Karma

Splunk Employee
Splunk Employee

BTW: Merely reading the field name TCPrexmits, I believe it's shorthand for: TCP retransmits. So I guess the number of times packets had to be resent? I'm also being told it could map to the re-transmission timeout.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...