All Apps and Add-ons

Splunk add-on for unix and linux detailed list of collected data

faustf
Communicator

Is there a detailed list of collected data that Splunk add-on for unix and linux collects?
I found this: documentation but it is not so detailed.
For example what does means TCPrexmits (sourcetype=protocol)?
Is this Add-on collect also how many packets have been retransmitted?

Thanks

0 Karma

fbhoraniya_splu
Splunk Employee
Splunk Employee

No, there is no other documentation available for the details of the data collected by the unix and linux add-on.

Meaning of each field for the sourcetype protocol is as below

  • IPdropped - Outgoing packets dropped
  • TCPrexmits - Segments retransmitted
  • TCPreorder - Detected reordering
  • TCPpktRecv - Segments received
  • TCPpktSent - Segments send out
  • UDPpktLost - UDP Packet receive errors
  • UDPunkPort - UDP Packets to unknown port received
  • UDPpktRecv - UDP Packets received
  • UDPpktSent - UDP Packets Sent

If you want to understand the meaning of fields for other sourcetypes, like SloshBurch said you will have to understand the script of that sourcetype.

And for the data collection of the packets re-transmitted, as per my knowledge only TCPrexmits field of sourcetype protocol contains that data.

sloshburch
Ultra Champion

(What follows is an incomplete answer)

No such detailed list appears to exist. Here's some advise that can help, but you'll see why it is incomplete soon enough.

Based on the banner messages in the link you shared, I suggest this page instead Splunk Add-on for Unix and Linux and Source types for the Splunk Add-on for Unix and Linux

The way I would answer your question is to look at what unix command is being used for that sourcetype and check that unix command's man page for the elaboration on what the field represents.

Annoyingly, in the example you provided, it appears the TCPrexmits is a row header produced by the protocol.sh and not actually defined within the unix command. I can't tell from the script what that field name is meant to represent. As such, this is something I'm discussing with folks internally....but no promises.

0 Karma

sloshburch
Ultra Champion

BTW: Merely reading the field name TCPrexmits, I believe it's shorthand for: TCP retransmits. So I guess the number of times packets had to be resent? I'm also being told it could map to the re-transmission timeout.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!