All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is the Splunk App for Unix and Linux not displaying results in dashboards, but data is returned when I search index=os?

saurabh_tek
Communicator
‎06-08-2016 02:16 AM

Splunk App for Unix and Linux is not reflecting data on dashboards whereas data is visible in Splunk when I search index=os (The add-on is collecting data).
I have tried both versions of the app - version 5.0.3 and version 5.1.0 and both are not showing data.

After installing them, in settings configuration page, I clicked SAVE as I was okay with pre-defined sourcetypes.

Has anyone some solution to this issue ?

0 Karma
Reply

Estrellia
Explorer
‎07-21-2016 06:27 AM

Ok I just found the solution to this problem..

You also need to install the "Add-on" application on the Indexer/Search instance.

So now it is populating the dashboards are the fields are correctly recognised and extracted. Problem solved.

I hope it will help some people with the same issue.

Cheers

Reply

abhayj1987
Engager
‎05-13-2018 09:26 PM

Thanks! This works. The documentation states that the Splunk Add-On for Unix & Linux needs to be installed only on the forwarders & indexers. This clearly is not the case because without the Add-on on the search head, the parsing does not work & the dashboards are not populated.

0 Karma
Reply

Estrellia
Explorer
‎07-21-2016 03:37 AM

Hello,

I am having the exact same problem this morning, I guess it comes from the fact the fields used in all the queries from the dashboards are not extracted. For example in:

index=os sourcetype=top host=forwarder.localdomain | stats max(pctCPU) as pctCPU max(pctMEM) as pctMEM last(cpuTIME) as cpuTIME by COMMAND, USER | eval CMD=COMMAND | fields CMD, USER, pctCPU, pctMEM, cpuTIME

I have no result.

But when I'm only using index=os sourcetype=top host=forwarder.localdomain I get all the events related to this search.

And I don't see the extracted fields in the left side in the "Interesting fields". I guess that's why splunk is not able to use these fields to narrow and display the query for the dashboard.

Now the question is: Is it normal these fields are not automatically extracted? And what step are we missing to do so?

Do we need to modify somehow the props.conf and so on manually or... copy something somewhere?

Thanks for your help guys

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...