I've just started messing around with Splunk to see if it would be good to use in our environment. I installed the *Nix App on my test machine, which is running Ubuntu 10.04 LTS. After accessing the app I notice that some of the "fields" aren't populating. For example, the CPU Overview has 4 boxes: consumption by command, consumption by user, cpu load by host, 5 most popular executables. The CPU Load By Host box has a graph, so it's getting data. The other 2 show the message: No results found. Inspect ...". I click the Inspect link but I'm not entirely sure what I'm looking for. Here's what I see
(bolded text is what is highlighted):
search index="os" sourcetype="ps" host="*" | multikv fields pctCPU, COMMAND | stats sum(pctCPU) as pctCPU by _time,COMMAND | timechart avg(pctCPU) by COMMAND
This search is an instance of the saved search: CPU Usage by Command (UNIX - CPU).
The following messages were returned by the search subsystem:
DEBUG: base lispy: [ AND host::* index::os sourcetype::ps ]
DEBUG: search context: user="admin", app="unix", bs-pathname="/home/myusername/splunk/etc"
I read the contents of http://docs.splunk.com/Documentation/Splunk/latest/Admin/Cantfindthedatayourelookingfor and notice it says that the free version doesn't allow you to use "scheduled saved searches or summary indexing". Is that what's happening here?
Edited to add: using Splunk version 4.3 and Splunk for *Nix version 4.5
... View more