All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is the Splunk App for Unix and Linux not displaying results in dashboards, but data is returned when I search index=os?

saurabh_tek
Communicator
‎06-08-2016 02:16 AM

Splunk App for Unix and Linux is not reflecting data on dashboards whereas data is visible in Splunk when I search index=os (The add-on is collecting data).
I have tried both versions of the app - version 5.0.3 and version 5.1.0 and both are not showing data.

After installing them, in settings configuration page, I clicked SAVE as I was okay with pre-defined sourcetypes.

Has anyone some solution to this issue ?

0 Karma
Reply

Estrellia
Explorer
‎07-21-2016 06:27 AM

Ok I just found the solution to this problem..

You also need to install the "Add-on" application on the Indexer/Search instance.

So now it is populating the dashboards are the fields are correctly recognised and extracted. Problem solved.

I hope it will help some people with the same issue.

Cheers

Reply

abhayj1987
Engager
‎05-13-2018 09:26 PM

Thanks! This works. The documentation states that the Splunk Add-On for Unix & Linux needs to be installed only on the forwarders & indexers. This clearly is not the case because without the Add-on on the search head, the parsing does not work & the dashboards are not populated.

0 Karma
Reply

Estrellia
Explorer
‎07-21-2016 03:37 AM

Hello,

I am having the exact same problem this morning, I guess it comes from the fact the fields used in all the queries from the dashboards are not extracted. For example in:

index=os sourcetype=top host=forwarder.localdomain | stats max(pctCPU) as pctCPU max(pctMEM) as pctMEM last(cpuTIME) as cpuTIME by COMMAND, USER | eval CMD=COMMAND | fields CMD, USER, pctCPU, pctMEM, cpuTIME

I have no result.

But when I'm only using index=os sourcetype=top host=forwarder.localdomain I get all the events related to this search.

And I don't see the extracted fields in the left side in the "Interesting fields". I guess that's why splunk is not able to use these fields to narrow and display the query for the dashboard.

Now the question is: Is it normal these fields are not automatically extracted? And what step are we missing to do so?

Do we need to modify somehow the props.conf and so on manually or... copy something somewhere?

Thanks for your help guys

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...