All Apps and Add-ons

splunk app for Unix does not extract fields from CPU info


I have a problem with Splunk App for Unix and Linux: it gets CPU data from forwarder and indexes it, but it doesn't show it in the dashboard. I know that there already is a similar question (this one: ), but I don't know if my question is a duplicate: that other question doesn't provide a lot of details.

I have Splunk Universal Forwarder installed on one machine and Splunk Enterprise installed on another machine. On forwarder I installed Splunk Add-on for Unix and Linux. On Splunk Enterprise I installed Splunk App for Unix and Linux. I configured the forwarder to send data to Splunk Enterprise. I verified that Splunk Enterprise receives CPU related data from the forwarder by doing search "source=cpu".

alt text

In the search result I see that Splunk Enterprise receives this data, but two things are suspicious for me:
- I see that events contain multiple lines: I would rather expect each line to be an event on its own
- I see that events do not contain fields I would expect them to have, like "CPU", "pctUser", "pctNice", "pctSystem" etc

Then I went to "splunk app for Unix" -> "hosts". There I see a message:

CPU: unknown - is enabled?

In order to investigate the problem I clicked "CPU: No results found. Inspect ...". This is what I saw:

alt text

It seems that the problem is caused by the fact that this search does not return data. In order to investigate it I try to find out what part of the search causes the problem. I found that this search returns results:

index=main sourcetype=cpu 

but this does not:

index=main sourcetype=cpu CPU="all"

Well, so the problem is that in the sourcetype called "cpu" we don't have a field called "CPU". So it seems that the source of the problem is the fact that when Splunk Enterprise receives CPU data from the forwarder, it does not extract - as I noticed in the beginning - interesting fields from it.

But why? I think "Splunk App for Unix and Linux" should take care of it?

0 Karma



You need to install Splunk Add-on for Unix and Linux on Search Head and Indexers (This does not require Inputs enabled if you do not want to monitor those stats on Search Head and Indexers), after that it will start breaking all required fields for dashboards in Splunk App for Unix and Linux


Yes, it was the reason. I installed Splunk Add-on for Unix and Linux on the machine with Splunk Enterprise and it helped. Thank you!

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...