Splunk App for Unix and Linux is not reflecting data on dashboards whereas data is visible in Splunk when I search
index=os (The add-on is collecting data).
I have tried both versions of the app - version 5.0.3 and version 5.1.0 and both are not showing data.
After installing them, in settings configuration page, I clicked SAVE as I was okay with pre-defined sourcetypes.
Has anyone some solution to this issue ?
Ok I just found the solution to this problem..
You also need to install the "Add-on" application on the Indexer/Search instance.
So now it is populating the dashboards are the fields are correctly recognised and extracted. Problem solved.
I hope it will help some people with the same issue.
Thanks! This works. The documentation states that the Splunk Add-On for Unix & Linux needs to be installed only on the forwarders & indexers. This clearly is not the case because without the Add-on on the search head, the parsing does not work & the dashboards are not populated.
I am having the exact same problem this morning, I guess it comes from the fact the fields used in all the queries from the dashboards are not extracted. For example in:
index=os sourcetype=top host=forwarder.localdomain | stats max(pctCPU) as pctCPU max(pctMEM) as pctMEM last(cpuTIME) as cpuTIME by COMMAND, USER | eval CMD=COMMAND | fields CMD, USER, pctCPU, pctMEM, cpuTIME
I have no result.
But when I'm only using
index=os sourcetype=top host=forwarder.localdomain I get all the events related to this search.
And I don't see the extracted fields in the left side in the "Interesting fields". I guess that's why splunk is not able to use these fields to narrow and display the query for the dashboard.
Now the question is: Is it normal these fields are not automatically extracted? And what step are we missing to do so?
Do we need to modify somehow the props.conf and so on manually or... copy something somewhere?
Thanks for your help guys