Splunk Enterprise

Universal forwarder for Linux is not forwarding some types of sourcetypes

Splunk_Ryan
Explorer

On my Linux server the universal forwarder and Splunk_TA_nix are installed, at least df and cpu are enabled in inputs.conf.

vi /opt/splunkforwarder/etc/apps/Splunk_TA_nix/local/inputs.conf

[script://./bin/df.sh]
interval = 300
sourcetype = df
source = df
index = os
disabled = 0

[script://./bin/cpu.sh]
sourcetype = cpu
source = cpu
#interval = 30
interval = 300
index = os
disabled = 0

When I search for this Linux server on Splunk, I get df logs. But cpu logs are missing

Top 10 Values Count %
df 44 1.224%

Could anyone advise? much appreciated. 

Labels (1)
Tags (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust
Have you try to run this cpu.sh as user splunk on this server? There could be an issue with permission or other stuff.

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Have you try to run this cpu.sh as user splunk on this server? There could be an issue with permission or other stuff.
0 Karma

Splunk_Ryan
Explorer

Thanks 

  The cpu.sh was not running on the Linux server either as splunk or as root. It turned out that the cpu.sh has a dependency on sysstat package which I had not installed.

  It is running now after sysstat was installed.

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...