Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

expected behavior of lsof for *nix

Branden
Builder
‎09-14-2010 12:45 PM

I recently made a stab at porting the lsof *nix app to AIX. I realize this is an unsupported configuration, but we AIX users feel left out!

Anyways, it wasn't that hard to port. We already had lsof for AIX compiled. I just modified common.sh to fake it into believing it supports AIX, copied the props.conf, and off I went.

It runs lsof.sh and indexes the information, but I guess I was expecting more. Maybe I have more work to do on porting it, but for now it seems to just run lsof and captures the output of the command into a single 500 line entry. No special fields or anything like that.

Is that the expected behavior of lsof for *nix? Or is there more to it that I am missing? What is the difference between lsof for *nix versus running lsof.sh as your own app?

Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-14-2010 05:15 PM

There isn't a big difference, and shouldn't be. The only reason we have the scripts is to make sure that the "right" fields are output, and that the same fields are output with the same names across different platforms, and that the "right" options are specified to render the correct output (e.g., resolve hostnames vs show IP addresses, resolve port names vs numbers, show files or just network ports, UDP vs TCP ports, etc.)

So yes, the script is meant to be very simple, just to standardize the data that goes into Splunk. Any sophistication comes afterwards from the searches in the *nix application dashboards, which make assumptions about what data is present and how it is named.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-14-2010 05:15 PM

There isn't a big difference, and shouldn't be. The only reason we have the scripts is to make sure that the "right" fields are output, and that the same fields are output with the same names across different platforms, and that the "right" options are specified to render the correct output (e.g., resolve hostnames vs show IP addresses, resolve port names vs numbers, show files or just network ports, UDP vs TCP ports, etc.)

So yes, the script is meant to be very simple, just to standardize the data that goes into Splunk. Any sophistication comes afterwards from the searches in the *nix application dashboards, which make assumptions about what data is present and how it is named.

Reply
Solved! Jump to solution

Branden
Builder
‎09-14-2010 05:39 PM

Good info, thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...