Hi,
Thanks for the prompt response.
Can I firstly confirm the file/script you mentioned = nmon_helper.sh
I don't see a "which python" command in this file only in the *nmon_cleaner.sh or * ????
The prefix of the lines with the error are :
2-05-2016 09:16:38.882 +1100 ERROR ArchiveContext - From archive='/opt/splunkforwarder/var/run/nmon/var/nmon_repository/[hostname_date_time.nmon]. Is this the process to cleanup/archive the processed nmon files ?
I have 12 files in this location/folder starting from installation yesterday. One every 2 hours.
I searched on the AIX server reporting with nmon (not the splunk server) but only found the savedsearches.conf file in my /$home/nmon/default/". I then realised, this was the extracted/gzip'd installation file. I have removed this entire "$home/nmon" folder structure and have restarted splunk on the Universal Forwarder/nmon host.
However, same messages in the splunkd.log on this host after restart of splunk.
I also found the same file on the splunk server in "/opt/splunk/etc/apps/nmon/default/savedsearches.conf". Content for these lines are the same.
search = (index=nmon sourcetype=nmon_processing OR sourcetype=nmon_collect error) OR (index=_internal sourcetype=splunkd ERROR ExecProcessor nmon) NOT ("There is no python in" OR "python: not found") | stats count As trend1\
| appendcols\
[ search (index=nmon sourcetype=nmon_processing OR sourcetype=nmon_collect error) OR (index=_internal sourcetype=splunkd ERROR ExecProcessor nmon) NOT ("There is no python in" OR "python: not found") earliest="-1d@d" latest="@d" | stats count As trend2 ]\
| transpose | fields row* | rename "row 1" As value
It looks the same as your example to me?
... View more