All Apps and Add-ons

Splunk App for Unix - No data in dashboard

Daerzk
Explorer

I have installed (several times) the Splunk App for Unix (*nix) Version 6.0.1. I have changed the default index in the settings to use the index=main by editing the related search Macro. I have configured the SUFs 'downstream' to send data to the main index and I can see all the data arriving in the index as expected.  Note this is installed on a Splunk dedicated single instance running version 8.1.3 (Enterprise On-Premises)

In the settings section of the App, I can see the correct index is specified (main) and clicking on the various Preview button options returns valid data. See below for examples:

Index Specification, and verify "Preview " selections:

Daerzk_0-1616996974470.png

CPU data preview:

Daerzk_2-1616997223073.png

 

DF Data Preview:

Daerzk_3-1616997311022.png

 

Suffice it to say that all the other Preview buttons also return valid data. This would imply that the data is correctly configured and the applicaiton should be able to consume it.

However, when I try and look at the dashboards of the app, they all remain free of any data, as can be seen from the screen captures below:

Daerzk_4-1616997510400.png

Daerzk_5-1616997646819.png

 

I am kinda out of ideas. Anyone got anything?

Cheers

Chris 

 

Labels (4)
0 Karma
1 Solution

96nick
Communicator

The add-on shouldn't be used graphically on the Windows instance. The add-on's main purpose is to extract fields so that your App shows data in the dashboards. So ideally you would have the following set up:

Linux Boxes: Add-on for Unix

Windows Box: App for Unix, Add-on for Unix

Data will send from the Linux boxes (with inputs turned on which you have) to the Windows box. You may need to restart the Windows box, but it *should* populate the dashboards if the addon is present on the Windows box. 

It is essentially the process that malmoore lays out in this post:

https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-configure-the-Splunk-App-for-Unix-and-Li...

 

Let me know if you get any further! 

 

View solution in original post

96nick
Communicator

Chris,

Is the addon installed on the instance as well and not just on the forwarder(s)? This seems similar to the linked Community post below yet not exactly.

Post: https://community.splunk.com/t5/All-Apps-and-Add-ons/Why-is-the-Splunk-App-for-Unix-and-Linux-not-di...

 

Hope that helped! 

Daerzk
Explorer

I have the Splunk TA for Linux deployed to my two test servers and their conmfiguration is what is sending the data through to the main index:

Daerzk_0-1617046121370.png

 

I had to manually change the permissions on the .sh and .py files due to my deployment server being a Windows box, but they are both sending all the expected telemetry from the SUF  and TA to the main index.

...I had assumed, as the indexer was Windows, that it would not need the TA, but I will try that next - thanks! 

0 Karma

Daerzk
Explorer

Looks like the indexer might have to be a Linux box too - annoying!

Daerzk_0-1617051042755.png

 

0 Karma

96nick
Communicator

The add-on shouldn't be used graphically on the Windows instance. The add-on's main purpose is to extract fields so that your App shows data in the dashboards. So ideally you would have the following set up:

Linux Boxes: Add-on for Unix

Windows Box: App for Unix, Add-on for Unix

Data will send from the Linux boxes (with inputs turned on which you have) to the Windows box. You may need to restart the Windows box, but it *should* populate the dashboards if the addon is present on the Windows box. 

It is essentially the process that malmoore lays out in this post:

https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-configure-the-Splunk-App-for-Unix-and-Li...

 

Let me know if you get any further! 

 

Daerzk
Explorer

Victory: you are a STAR

Daerzk_0-1617090686344.png

 

richgalloway
SplunkTrust
SplunkTrust

See the app troubleshooting guide at https://docs.splunk.com/Documentation/UnixApp/6.0.0/User/TroubleshoottheSplunkAppforUnixandLinux

If that doesn't help then open a Splunk support request.

---
If this reply helps you, Karma would be appreciated.

Daerzk
Explorer

Alas, I am but a humble tinkerer and dol not have paid support options! 😞

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...