Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is Splunk App for Unix and Linux not listing all the fields for index=os sourcetype=cpu on search head?

Ashwini008
Builder
‎07-26-2021 10:47 AM

Hi ,

I have splunk_TA_NIX app installed on indexer,Heavy Forwarder and search heads.

When i search index=os sourcetype=cpu on indexers i can see below fields.

Ashwini008_0-1627321473528.png

 

But same query when i run on search heads i dont see any of those fields it is just below fields

Ashwini008_1-1627321523941.png

 

Any solution on how to get all the fields on search heads?

 

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎07-29-2021 12:32 AM

Hi @Ashwini008,

It seems there is no overwrite for cpu sourcetype. Can you please also show us below output? Let's see if default sourcetype settings is shown?

splunk btool props list cpu --debug
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎07-28-2021 10:03 AM

Hi @Ashwini008,

Can you please run below command on search head and post the result? Maybe there is another props setting on your search heads that overwrites field extraction.

splunk btool props list cpu --debug | grep local
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

Ashwini008
Builder
‎07-28-2021 11:11 AM

Hi @scelikok 

bin]$ ./splunk btool props list cpu --debug | grep local
/opt/app/splunk/splunk/etc/system/local/props.conf MAX_DAYS_HENCE = 40
/opt/app/splunk/splunk/etc/system/local/props.conf MAX_DAYS_HENCE = 40

0 Karma
Reply

Ashwini008
Builder
‎07-27-2021 08:34 AM

@gcusello @scelikok @Anonymous @woodcock Any suggestions?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-27-2021 10:11 AM

Hi @Ashwini008,

a first really stupid question: are you searching in Verbose Mode obviously?

Anyway, as hinted by @richgalloway, check if the knowledge objects (field extractions) are Global in TA_nix, not only the App.

Ciao.

Giuseppe

0 Karma
Reply

Ashwini008
Builder
‎07-27-2021 12:03 PM

@gcusello Yes i am running it in Verbose mode and knowledge objects have Global Permission

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-27-2021 11:21 PM

Hi @Ashwini008,

try to force the use of a field adding one field (e.g. CPU or another) to your search:

 index=os sourcetype=cpu CPU=*

and see if in this way you can see fields.

Then see in [Settings -- Sourcetypes] if there's te cpu sourcetype.

Ciao.

Giuseppe

0 Karma
Reply

Ashwini008
Builder
‎07-28-2021 02:08 AM

@gcusello I dont see the fields when i run 

 index=os sourcetype=cpu CPU=*

since CPU field is not present.CPU sourcetype is defined in inputs.conf and props.conf.

 

Tags (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-28-2021 05:36 AM

Hi @Ashwini008,

when you run the above search, have you results or not?

if the field is not extracted, you shouldn't have any result, if instead it's extracted, you should see the fields.

if you see in [Settings -- Sourcetypes], have you the "cpu" sourcetype?

Ciao.

Giuseppe

0 Karma
Reply

Ashwini008
Builder
‎07-28-2021 05:49 AM

@gcusello I dont see the result when i run this query index=os sourcetype=cpu CPU=*

And i see the sourcetype cpu in settings.

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-28-2021 06:12 AM

Hi @Ashwini008,

if you haven't any result with that search, it means that the field extraction isn't active in that App.

In [Settings -- Sourcetypes], which id the App of cpu sourcetype?

It should be TA_nix, enter in it and run your search to see if you see the fields.

If you see the fields in the TA_nix app, it means that the permissions aren't correct because in te App it runs.

If you don't see the fields in the TA_nix, it means that there's a problem, so delete the app from the Search Head and deploy it again.

Ciao.

Giuseppe

0 Karma
Reply

Ashwini008
Builder
‎07-28-2021 10:18 AM

@gcusello Thanks for your inputs. I don't see any results when i run the query from the TA_NIX app.

I deleted and redeployed the application again.But No luck

Any other way out you could think of ?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-26-2021 11:49 AM

Verify the TA is installed on the search heads and that its permissions are set to Global.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Ashwini008
Builder
‎07-26-2021 11:44 PM

@richgalloway It is present on Search head

Ashwini008_0-1627368288877.png

 

0 Karma
Reply

igor04653
Loves-to-Learn Everything
‎08-04-2022 03:38 AM

Hello
Were you able to solve this problem? I have the same problem. On some hosts the CPU=all field is available and on some hosts it is not

0 Karma
Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! 🎉 ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...