Solved: Splunk add-on for unix and linux: nfsiostat suppor...

JykkeDaMan · ‎10-09-2023

App: https://splunkbase.splunk.com/app/833

It looks like the nfsiostat.sh script is not compatible with the RHEL9. I'm testing with Rocky9.2 and the nfsiostat command output is already different to 7.9.

EDIT: It seems to support RHEL9 explicitly (without the new columns), but NOT Rocky9.

Example from 7.9:

# nfsiostat

server:/mnt/yumrepo mounted on /repos/pkg.repo.d:

   op/s		rpc bklog
  33.88 	   0.00
read:             ops/s		   kB/s		  kB/op		retrans		avg RTT (ms)	avg exe (ms)
		  1.382 	 43.682 	 31.613     3357 (0.0%) 	  0.612 	  1.551
write:            ops/s		   kB/s		  kB/op		retrans		avg RTT (ms)	avg exe (ms)
		  4.595 	138.038 	 30.041     1041 (0.0%) 	  1.659 	 11.039

Example from Rocky9.2:

- First op/s => ops/s
- 2 new metrics: "avg queue (ms)" and "errors"

server:/mnt/yumrepo mounted on /repos/pkg.repo.d:

           ops/s       rpc bklog
           0.453           0.000

read:              ops/s            kB/s           kB/op         retrans    avg RTT (ms)    avg exe (ms)  avg queue (ms)          errors
                   0.000           0.001           1.356        0 (0.0%)           0.096           0.108           0.006        0 (0.0%)
write:             ops/s            kB/s           kB/op         retrans    avg RTT (ms)    avg exe (ms)  avg queue (ms)          errors
                   0.001           0.035          25.519        0 (0.0%)           0.562           0.600           0.027        0 (0.0%)

nfsiostat.sh script cannot parse the new format and currently I get something like this:

# /usr/ipbx/splunkforwarder/etc/apps/Splunk_TA_nix/bin/nfsiostat.sh
Mount                                                     Path                  r_op/s  w_op/s  r_KB/s   w_KB/s  rpc_backlog  r_avg_RTT  w_avg_RTT  r_avg_exe  w_avg_exe
server:/mnt/yumrepo  /repos/pkg.repo.d  read:   write:  ops/s    ops/s   0.000        avg        avg        RTT        RTT
0.000                                                     0.001                 rpc     0.096   0.108
0.001                                                     0.453                 read:   0.000   ops/s    avg     RTT
write:                                                    kB/o                  ops/s   rpc     mounted

JykkeDaMan · ‎10-09-2023

Yes, I will create a support request also.

A quick and dirty workaround to get at least the same old columns from Rocky9 I can use field ID_LIKE from /etc/os-release:

 if [ -e $OS_FILE ] && ( ( (awk -F'=' '/ID_LIKE=/ {print $2}' $OS_FILE | grep -q rhel) ...

View solution in original post

richgalloway · ‎10-09-2023

That is a Splunk-supported add-on so you can submit a support request (if you have entitlement) for RHEL9 support.

---
If this reply helps you, Karma would be appreciated.

JykkeDaMan · ‎10-09-2023

Yes, I will create a support request also.

A quick and dirty workaround to get at least the same old columns from Rocky9 I can use field ID_LIKE from /etc/os-release:

 if [ -e $OS_FILE ] && ( ( (awk -F'=' '/ID_LIKE=/ {print $2}' $OS_FILE | grep -q rhel) ...

Splunk add-on for unix and linux: nfsiostat support for Rocky9?

installation

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector