All Apps and Add-ons

Why is the data I'm getting via the Splunk Add-on for Unix and Linux changed?

New Member

Hi All

I encountered the issue as below.
Please kindly help us if you have the answer.

I would like know the reason and the solution.

◆Situation
When i get the data using Splunk Add-on for Unix and Linux (default script) from client server, the data is changed suddenly like below.

The indexer doesn't have correct value, it seems like that first value is different and following value moved to next so on.

◆example
As of 'cpu' as source type.

in indexer getting the value as expected.

CPU=all
pctUser =0.00
pctNice =0.00
pctSystem =0.00
pctIowait =0.12

pctIdle = 99.88

but indexer has like below

CPU=0.12
pctUser =0.00
pctNice =0.00
pctSystem =0.00
pctIowait =0.12

pctIdle = 99.88

SO it seems like the indexer doesn't get correct value.
As i checked, the data in the same server happens sometimes (sometimes get correct and doesn't correct next time.. something like that)

I would like the reason for it and what is the trigger.

Best regard
Chiaki

0 Karma

Ultra Champion

Sounds like an issue with the sourcetype definitions. Maybe check if someone messed with the configuration files (specifically props.conf and transforms.conf) such that they deviate from what's on Splunkbase?

0 Karma

Splunk Employee
Splunk Employee

What does your environment look like? Is it Standalone or distributed?

Can you share a screenshot of the events?

0 Karma

New Member

Hi mmodestino

This issue occured in Production environment,
And our environment is distributed using "Clustered Indexer" and "Clusetred Search head".

I'm just trying to check way to share..please wait

0 Karma