Getting Data In
Highlighted

Linux Script output is different from _raw

Explorer

Hi all,

I've written script in "/opt/splunk/etc/deployment-apps/testing/bin" named test1.sh which gives me an expected result what i intend the script to be used for.

Script Content.

#!/bin/sh

HEADER='CPU    pctIdle'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='END {printf "%-3s  %9.1f\n", CPU, pctIdle}'
AWK=awk
CMD='top -n 1'
PARSE_0='NR==3 {CPU="all"} NR==3 {pctIdle=$8}'

$CMD | $AWK "$HEADERIZE $PARSE_0 $PRINTF"  header="$HEADER"

Script Results

CPU    pctIdle
all       94.9

However, upon running "/opt/splunk/bin/splunk reload deploy-server". The _ raw values of which i receive from my events are all as such.

CPU    pctIdle
           0.0

Can i get some insights on why is this so?

0 Karma
Highlighted

Re: Linux Script output is different from _raw

Communicator

I am not good with the script, however just to apprise to monitor CPU usage on Unix box you can use "Splunk Add-on for Unix and Linux"

https://splunkbase.splunk.com/app/833/

You can also find a script for CPU monitoring file and script in /bin/cpu.sh

View solution in original post

Highlighted

Re: Linux Script output is different from _raw

Explorer

Thanks for the tips, though this answers half my question as i still need to build a custom script to pull the data due to the target servers limitation.At such, I can't use the /bin/cpu.sh. However, It seems that the default props.conf and transforms.conf from "Splunk Add-on for Unix and Linux" seems to be working it's magic as Splunk is able to interpret and format the _raw data that i have accordingly to what i wanted.

New Script
HEADER='CPU pctIdle'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='END {printf "%-3s %9.1f\n", CPU, pctIdle}'
AWK=awk
CMD='vmstat'
PARSE_0='NR==3 {CPU="all"} NR==3 {pctIdle=$15}'

0 Karma
Highlighted

Re: Linux Script output is different from _raw

Communicator

I am glad shared details, helped with the completion of your task.

0 Karma
Highlighted

Re: Linux Script output is different from _raw

Engager

Hi
I would consider that a possible reason for the different result might be related to quote escaping.
In any case if you are willing just to get the idle time then I would suggest:

mpstat  -u | awk '/\sall\s/ {print "CPU_idle " $13}'
Highlighted

Re: Linux Script output is different from _raw

Explorer

Thanks for the suggestion, Peirano. Unfortunately, the target "Suse" server which our forwarder agents are currently installed does not support the "Mpstat" command.

0 Karma
Highlighted

Re: Linux Script output is different from _raw

Influencer

And where is app/add-on testing is deployed?

0 Karma
Highlighted

Re: Linux Script output is different from _raw

Explorer

This is currently being deployed via deployment-apps in my Cluster Master

0 Karma
Highlighted

Re: Linux Script output is different from _raw

Influencer

Is this script part of scripted input? And how the output of script is forwarded to indexer server?

0 Karma
Highlighted

Re: Linux Script output is different from _raw

Explorer

The script i wrote resides in the bin folder of my testing app "/opt/splunk/etc/deployment-apps/testing/bin".

It is being invoked by "/opt/splunk/etc/deployment-apps/testing/local" through the following inputs.conf stanza.

[script://./bin/test1.sh]
interval = 300
disabled = 1
index = test
sourcetype = doms_test_cpu

As for my outputs.conf (because we are running in a clustered enviroment)

[indexer_discovery:idx_discovery]
pass4SymmKey = xxx
master_uri = xxx

[tcpout:auto_lb_group]
indexerDiscovery = idx_discovery
autoLBFrequency = 30
forceTimebasedAutoLB = true
useACK = true

[indexer_discovery:prd_idx]
pass4SymmKey = xxx
master_uri = xxx

[tcpout:auto_lb_group_prd]
indexerDiscovery = prd_idx
autoLBFrequency = 30
forceTimebasedAutoLB = true
useACK = true

[tcpout]
defaultGroup = auto_lb_group_prd, auto_lb_group
0 Karma