I am trying to use *NIX to monitor my network throughput statistics and graph them nicely, I am currently using Bandwidthd but I would like to get it all usable in one interface. Everything else worked perfectly, CPU, Memory, faiiled login detection, everything graphs nicely. But when I try to monitor the network by throughput, I get this at the top of the page: Specified field(s) missing from results: 'TX_Thruput'
running locally on Ubuntu 10.04 splunk 4.1.5 build 85165. I have all of the options checked for the *NIX configuration. I checked out the searches suggested in http://answers.splunk.com/questions/4287/measure-throughput-eps-kbps-per-input but they return no results.
I'm not sure of actual cause.... but what I noticed in the data was that the output from "interface.sh" was including the virtual interfaces (i.e. not eth0:0, eth0:1, etc.). Those do not end up reporting all the data like the actual interface (eth0) does. I'm thinking that multikv has issues when there's no value between field separators of the "table" (i.e. two tabs with nothing in between).
Since I didn't care about the virtuals (as the data for those are included in the main interface), I modified interface.sh to exclude virtual interfaces. My method was cludgy, but seems to work. I piped the output of the command that gathered the interface list to "grep -v ':'" for the Linux section.
Bingo! Data starts getting parsed, fields defined, and graphs looking all pretty!
Anyone have an update on this? I'm seeing this as well. When simply querying all events the "interfaces" sourcetype (for index, "os") under the unix app, it doesn't seem to be defining fields for these. I would think that the Unix app should have defined these, no? The headers are more funky than your basic "X=Y" output... it's a column based output (headers). But still... it's been like this for this command on Linux for a long time.
Anyone? Is this just a bug in the Unix app that needs fixing?
Without seeing the output of each event in the search window, this will be hard to answer. I strongly suspect your field for TX_Thruput is not extracted by default. Typically, Splunk finds the fields you want to use automatically, but there are some cases where you must configure Splunk to properly extract fields. You will need to create a field extraction for the TX_Thruput field. You can do this via the interactive field extraction tool or via a rex command.
args = host
definition = index="os" sourcetype="interfaces" host=* | multikv fields name, inetAddr, RXbytes, TXbytes | streamstats current=f last(TXbytes) as lastTX, last(RXbytes) as lastRX by Name | eval time=_time | strcat Name "-" inetAddr "@" host Interface_Host | eval RX_Thruput = lastRX-RXbytes | eval TX_Thruput = lastTX-TXbytes | timechart eval(sum(TX_Thruput)/dc(time)) by Interface_Host
is the line in the unix app files that seems that it is supposed to do this task. I run that search manually and it gives the error about missing fields.