Splunk Enterprise

Splunk App for Unix and Linux is not listing all the fields for index=os sourcetype=cpu on search head

Ashwini008
Contributor

Hi ,

I have splunk_TA_NIX app installed on indexer,Heavy Forwarder and search heads.

When i search index=os sourcetype=cpu on indexers i can see below fields.

Ashwini008_0-1627321473528.png

 

But same query when i run on search heads i dont see any of those fields it is just below fields

Ashwini008_1-1627321523941.png

 

Any solution on how to get all the fields on search heads?

 

0 Karma

scelikok
Champion

Hi @Ashwini008,

It seems there is no overwrite for cpu sourcetype. Can you please also show us below output? Let's see if default sourcetype settings is shown?

splunk btool props list cpu --debug 
If this reply helps you an upvote is appreciated.
0 Karma

scelikok
Champion

Hi @Ashwini008,

Can you please run below command on search head and post the result? Maybe there is another props setting on your search heads that overwrites field extraction.

splunk btool props list cpu --debug | grep local
If this reply helps you an upvote is appreciated.
0 Karma

Ashwini008
Contributor

Hi @scelikok 

bin]$ ./splunk btool props list cpu --debug | grep local
/opt/app/splunk/splunk/etc/system/local/props.conf MAX_DAYS_HENCE = 40
/opt/app/splunk/splunk/etc/system/local/props.conf MAX_DAYS_HENCE = 40

0 Karma

Ashwini008
Contributor
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Ashwini008,

a first really stupid question: are you searching in Verbose Mode obviously?

Anyway, as hinted by @richgalloway, check if the knowledge objects (field extractions) are Global in TA_nix, not only the App.

Ciao.

Giuseppe

0 Karma

Ashwini008
Contributor

@gcusello Yes i am running it in Verbose mode and knowledge objects have Global Permission

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Ashwini008,

try to force the use of a field adding one field (e.g. CPU or another) to your search:

 index=os sourcetype=cpu CPU=*

and see if in this way you can see fields.

Then see in [Settings -- Sourcetypes] if there's te cpu sourcetype.

Ciao.

Giuseppe

0 Karma

Ashwini008
Contributor

@gcusello I dont see the fields when i run 

 index=os sourcetype=cpu CPU=*

since CPU field is not present.CPU sourcetype is defined in inputs.conf and props.conf.

 

Tags (3)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Ashwini008,

when you run the above search, have you results or not?

if the field is not extracted, you shouldn't have any result, if instead it's extracted, you should see the fields.

if you see in [Settings -- Sourcetypes], have you the "cpu" sourcetype?

Ciao.

Giuseppe

0 Karma

Ashwini008
Contributor

@gcusello I dont see the result when i run this query index=os sourcetype=cpu CPU=*

And i see the sourcetype cpu in settings.

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Ashwini008,

if you haven't any result with that search, it means that the field extraction isn't active in that App.

In [Settings -- Sourcetypes], which id the App of cpu sourcetype?

It should be TA_nix, enter in it and run your search to see if you see the fields.

If you see the fields in the TA_nix app, it means that the permissions aren't correct because in te App it runs.

If you don't see the fields in the TA_nix, it means that there's a problem, so delete the app from the Search Head and deploy it again.

Ciao.

Giuseppe

0 Karma

Ashwini008
Contributor

@gcusello Thanks for your inputs. I don't see any results when i run the query from the TA_NIX app.

I deleted and redeployed the application again.But No luck

Any other way out you could think of ?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Verify the TA is installed on the search heads and that its permissions are set to Global.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Ashwini008
Contributor

@richgalloway It is present on Search head

Ashwini008_0-1627368288877.png

 

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!