- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Why is the Splunk App for Unix and Linux not displ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is the Splunk App for Unix and Linux not displaying results in dashboards, but data is returned when I search index=os?
Splunk App for Unix and Linux is not reflecting data on dashboards whereas data is visible in Splunk when I search index=os (The add-on is collecting data).
I have tried both versions of the app - version 5.0.3 and version 5.1.0 and both are not showing data.
After installing them, in settings configuration page, I clicked SAVE as I was okay with pre-defined sourcetypes.
Has anyone some solution to this issue ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok I just found the solution to this problem..
You also need to install the "Add-on" application on the Indexer/Search instance.
So now it is populating the dashboards are the fields are correctly recognised and extracted. Problem solved.
I hope it will help some people with the same issue.
Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! This works. The documentation states that the Splunk Add-On for Unix & Linux needs to be installed only on the forwarders & indexers. This clearly is not the case because without the Add-on on the search head, the parsing does not work & the dashboards are not populated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am having the exact same problem this morning, I guess it comes from the fact the fields used in all the queries from the dashboards are not extracted. For example in:
index=os sourcetype=top host=forwarder.localdomain | stats max(pctCPU) as pctCPU max(pctMEM) as pctMEM last(cpuTIME) as cpuTIME by COMMAND, USER | eval CMD=COMMAND | fields CMD, USER, pctCPU, pctMEM, cpuTIME
I have no result.
But when I'm only using index=os sourcetype=top host=forwarder.localdomain I get all the events related to this search.
And I don't see the extracted fields in the left side in the "Interesting fields". I guess that's why splunk is not able to use these fields to narrow and display the query for the dashboard.
Now the question is: Is it normal these fields are not automatically extracted? And what step are we missing to do so?
Do we need to modify somehow the props.conf and so on manually or... copy something somewhere?
Thanks for your help guys
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
