We are evaluating Splunk to provide central logging and to possibly replace our Zenoss monitoring tool. I've installed the *nix App but when I look at Interface Throughput I get a "No results found." error. I have already enabled interface monitoring on my remote Linux system (RHEL 5.6) and I can see events, however many of the fields appear to be empty.
Is the collection script on the client side not parsing the output correctly? Thank you.
The following is the search from the job inspector:
search index="os" sourcetype="interfaces" host=* | multikv fields name, inetAddr, RXbytes, TXbytes | streamstats current=f last(TXbytes) as lastTX, last(RXbytes) as lastRX by Name | eval time=_time | strcat Name "-" inetAddr "@" host Interface_Host | eval RX_Thruput_KB = (lastRX-RXbytes)/1024 | eval TX_Thruput_KB = (lastTX-TXbytes)/1024 | timechart eval(sum(TX_Thruput_KB)/dc(time)) by Interface_Host
It states that "the transforming commands in the highlighted portion of the following search:
timechart eval(sum(TX_Thruput_KB)/dc(time)) by Interface_Host
over the time range:
2/9/12 4:09:00.000 PM – 2/9/12 4:24:07.000 PM
generated no results."
It also spat out the following debug messages:
DEBUG: Specified field(s) missing from results: 'TX_Thruput_KB'
DEBUG: base lispy: [ AND host::* index::os sourcetype::interfaces ]
DEBUG: search context: user="admin", app="unix", bs-pathname="/opt/splunk/etc"
... View more