We're able to partially get the official Splunk universal forwarder docker container to run the official *Nix add-on so an endpoint can collect & send its basic host metrics, but some of the add-on's host metrics collector scripts fail, such as
[ansible@alpha bin]$ cat debug--cpu.sh--Wed_Jan__1_12-35-08_UTC_2020
Not found any of commands [sar mpstat] on this host, quitting
Most scripts run fine like
ps as we do
docker run --pid=host. However, it looks like the official container is stripped down, so
cpu.sh has missing dependencies as above.
We were just going to
apt-get install sar... except we see no apt-get/apt/apk/yum:
-- Is there an alternate universal forwarder container we can put on these endpoints? This feels like the usual "alpine vs slim" issue, and other enterprise projects do stuff like dual releases here, but I couldn't find any.
-- Is there some other way to install those packages while keeping the forwarder in a slim container?
In have Splunk Enterprise as the Indexer and the Search Header, I´m triyng to collect performance data from a linux server so I installed in the server the Universal Forwarder and the Splunk_TA_nix Add On. I did the basics configuration to inputs.conf but at the end I didt collect the performance data like lsoft,top,nstats,etc.
How did you achive to collect netstat,top,ps?
Do you have dev tools available? You could install sar from source. The source for it can be found at :
tar -xvf sysstat-12.1.4.tar.bz2