All Apps and Add-ons

*nix App interfaces no results found

verdantjellis
Explorer

We are evaluating Splunk to provide central logging and to possibly replace our Zenoss monitoring tool. I've installed the *nix App but when I look at Interface Throughput I get a "No results found." error. I have already enabled interface monitoring on my remote Linux system (RHEL 5.6) and I can see events, however many of the fields appear to be empty.

Is the collection script on the client side not parsing the output correctly? Thank you.

The following is the search from the job inspector:

search index="os" sourcetype="interfaces" host=*   | multikv fields name, inetAddr, RXbytes, TXbytes   | streamstats current=f last(TXbytes) as lastTX, last(RXbytes) as lastRX by Name    | eval time=_time   | strcat Name "-" inetAddr "@" host Interface_Host   | eval RX_Thruput_KB = (lastRX-RXbytes)/1024   | eval TX_Thruput_KB = (lastTX-TXbytes)/1024   | timechart  eval(sum(TX_Thruput_KB)/dc(time)) by Interface_Host

It states that "the transforming commands in the highlighted portion of the following search:

timechart  eval(sum(TX_Thruput_KB)/dc(time)) by Interface_Host

over the time range:

2/9/12 4:09:00.000 PM – 2/9/12 4:24:07.000 PM

generated no results."



It also spat out the following debug messages:

DEBUG: Specified field(s) missing from results: 'TX_Thruput_KB'
DEBUG: base lispy: [ AND host::* index::os sourcetype::interfaces ]
DEBUG: search context: user="admin", app="unix", bs-pathname="/opt/splunk/etc"
1 Solution

araitz
Splunk Employee
Splunk Employee

The interfaces.sh script has some problems that you can find in other answers:

http://splunk-base.splunk.com/answers/22690/getting-syntax-error-from-interfacessh-for-nix-app

Look there for the patch. You can test that this is the issue by running:

 index="os" sourcetype="interfaces"

If I am right, there won't be any results.

View solution in original post

bluelip
Engager

Verdantjellis, just came across the same extra '.' on line 27:
CMD='ifconfig'.

After removing it, the script ran and my charts started to be generated.

RodB1
Engager

Yes, I too ran across this. Still line 27. Take out the '.' (period) and it runs just fine and charts generate.

File (default install):
/opt/splunk/etc/apps/unix/bin/interfaces.sh

This occurs on CentOS 6.3:
2.6.32-279.1.1.el6.x86_64 #1 SMP Tue Jul 10 13:47:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

0 Karma

araitz
Splunk Employee
Splunk Employee

The interfaces.sh script has some problems that you can find in other answers:

http://splunk-base.splunk.com/answers/22690/getting-syntax-error-from-interfacessh-for-nix-app

Look there for the patch. You can test that this is the issue by running:

 index="os" sourcetype="interfaces"

If I am right, there won't be any results.

View solution in original post

araitz
Splunk Employee
Splunk Employee

bump - need more information to help you out 🙂

0 Karma

araitz
Splunk Employee
Splunk Employee

OK - what happens when you run the search above?

0 Karma

verdantjellis
Explorer

Actually, my original issue still remains, though, after fixing the interfaces.sh script. I still am unable to generate a chart of throughput with the same errors as above...

0 Karma

araitz
Splunk Employee
Splunk Employee

Glad to help. We will have this issue fixed in a forthcoming version of the app.

0 Karma

verdantjellis
Explorer

Thanks for the info, after doing some more research I figured out how to run the interfaces.sh script in debug mode and that's where I saw the error that the 'ifconfig.' command could not be found. There was a '.' put on the end of the command in the script and after removing that the command ran properly.

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!