All Apps and Add-ons

Splunk add-on for unix and linux detailed list of collected data


Is there a detailed list of collected data that Splunk add-on for unix and linux collects?
I found this: documentation but it is not so detailed.
For example what does means TCPrexmits (sourcetype=protocol)?
Is this Add-on collect also how many packets have been retransmitted?


0 Karma

Splunk Employee
Splunk Employee

No, there is no other documentation available for the details of the data collected by the unix and linux add-on.

Meaning of each field for the sourcetype protocol is as below

  • IPdropped - Outgoing packets dropped
  • TCPrexmits - Segments retransmitted
  • TCPreorder - Detected reordering
  • TCPpktRecv - Segments received
  • TCPpktSent - Segments send out
  • UDPpktLost - UDP Packet receive errors
  • UDPunkPort - UDP Packets to unknown port received
  • UDPpktRecv - UDP Packets received
  • UDPpktSent - UDP Packets Sent

If you want to understand the meaning of fields for other sourcetypes, like SloshBurch said you will have to understand the script of that sourcetype.

And for the data collection of the packets re-transmitted, as per my knowledge only TCPrexmits field of sourcetype protocol contains that data.

Splunk Employee
Splunk Employee

(What follows is an incomplete answer)

No such detailed list appears to exist. Here's some advise that can help, but you'll see why it is incomplete soon enough.

Based on the banner messages in the link you shared, I suggest this page instead Splunk Add-on for Unix and Linux and Source types for the Splunk Add-on for Unix and Linux

The way I would answer your question is to look at what unix command is being used for that sourcetype and check that unix command's man page for the elaboration on what the field represents.

Annoyingly, in the example you provided, it appears the TCPrexmits is a row header produced by the and not actually defined within the unix command. I can't tell from the script what that field name is meant to represent. As such, this is something I'm discussing with folks internally....but no promises.

0 Karma

Splunk Employee
Splunk Employee

BTW: Merely reading the field name TCPrexmits, I believe it's shorthand for: TCP retransmits. So I guess the number of times packets had to be resent? I'm also being told it could map to the re-transmission timeout.

0 Karma
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...