All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk App for Unix and Linux: Why are fields not being properly extracted from Solaris machines resulting in incorrect data?

splunker9999
Path Finder
‎12-02-2016 09:19 AM

Hi , We have configured Splunk App for Unix and Linux to all our hosts and we're facing a weird issue.

This app is working fine on all our Linux and HP UX boxes, but on Solaris boxes vmstat is not working as expected.

Issues:
On Linux or HP UX , fields are extracted properly and see data. But for Solaris, fields are not extracted properly and we see incorrect data.

Below is sample log file

memTotalMB   memFreeMB   memUsedMB  memFreePct  memUsedPct   pgPageOut  swapUsedPct   pgSwapOut   cSwitches  interrupts       forks   processes     threads  loadAvg1mi
     16384      439337     -422953      2681.5     -2581.5          77         36.4           0  13949520474  10370043883    20143325         123         727        0.31

memUsedPct and memFreePct values are incorrect values and this should be same for all the other values.

Can someone please suggest on this?

Below is Python script which is calling this data:

"x$KERNEL" = "xSunOS" ] ; then
        assertHaveCommand vmstat
        assertHaveCommandGivenPath /usr/sbin/swap
        assertHaveCommandGivenPath /usr/sbin/prtconf
        assertHaveCommand prstat
        if [ $SOLARIS_8 -o $SOLARIS_9 ] ; then
                CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat    1 1 ; vmstat -s ; prstat -n 1 1 1'
        else
                CMD='eval /usr/sbin/prtconf 2>/dev/null | grep Memory ; /usr/sbin/swap -s ; vmstat -q 1 1 ; vmstat -s ; prstat -n 1 1 1'
        fi
        PARSE_0='/^Memory size:/ {memTotalMB=$3} (NR==5) {memFreeMB=$5 / 1024}'
        PARSE_1='(NR==2) {swapUsed=0+$(NF-3); swapFree=0+$(NF-1)}'
        PARSE_2='/pages paged out$/ {pgPageOut=$1} /pages swapped out$/ {pgSwapOut=$1}'
        PARSE_3='/cpu context switches$/ {cSwitches=$1} /device interrupts$/ {interrupts=$1} / v?forks$/ {forks+=$1}'
        PARSE_4='/^Total: / {processes=$2; threads=$4; loadAvg1mi=0+$(NF-2)}'
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎12-04-2016 05:03 AM

Since I don't see where the script is creating these fields it makes me think there is more to the script or the fields in question are evaluated.

You can probably fix this using the props.conf in the apps local directory to evaluate the same field names.

 [sourcetypeName]
 EVAL-memUsedPct= memUsedMB/memTotalMB*100
 EVAL-memFreePct= memFreeMB/memTotalMB*100
0 Karma
Reply

splunker9999
Path Finder
‎12-09-2016 10:05 AM

Added below lines, but this is not solving the problem.. Still I could see events in the same forat.

I believe above lines are already added to script.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...