Re: Why is the data I'm getting via the Splunk Add...

Chiaki · ‎02-25-2017

Hi All

I encountered the issue as below.
Please kindly help us if you have the answer.

I would like know the reason and the solution.

◆Situation
When i get the data using Splunk Add-on for Unix and Linux (default script) from client server, the data is changed suddenly like below.

The indexer doesn't have correct value, it seems like that first value is different and following value moved to next so on.

◆example
As of 'cpu' as source type.

in indexer getting the value as expected.

CPU=all
pctUser =0.00
pctNice =0.00
pctSystem =0.00
pctIowait =0.12

pctIdle = 99.88

but indexer has like below

CPU=0.12
pctUser =0.00
pctNice =0.00
pctSystem =0.00
pctIowait =0.12

pctIdle = 99.88

SO it seems like the indexer doesn't get correct value.
As i checked, the data in the same server happens sometimes (sometimes get correct and doesn't correct next time.. something like that)

I would like the reason for it and what is the trigger.

Best regard
Chiaki

sloshburch · ‎01-03-2019

Sounds like an issue with the sourcetype definitions. Maybe check if someone messed with the configuration files (specifically props.conf and transforms.conf) such that they deviate from what's on Splunkbase?

mattymo · ‎02-26-2017

What does your environment look like? Is it Standalone or distributed?

Can you share a screenshot of the events?

- MattyMo

Chiaki · ‎02-26-2017

Hi mmodestino

This issue occured in Production environment,
And our environment is distributed using "Clustered Indexer" and "Clusetred Search head".

I'm just trying to check way to share..please wait

Why is the data I'm getting via the Splunk Add-on for Unix and Linux changed?

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...