All Apps and Add-ons

Why is the data I'm getting via the Splunk Add-on for Unix and Linux changed?

Chiaki
New Member

Hi All

I encountered the issue as below.
Please kindly help us if you have the answer.

I would like know the reason and the solution.

◆Situation
When i get the data using Splunk Add-on for Unix and Linux (default script) from client server, the data is changed suddenly like below.

The indexer doesn't have correct value, it seems like that first value is different and following value moved to next so on.

◆example
As of 'cpu' as source type.

in indexer getting the value as expected.

CPU=all
pctUser =0.00
pctNice =0.00
pctSystem =0.00
pctIowait =0.12

pctIdle = 99.88

but indexer has like below

CPU=0.12
pctUser =0.00
pctNice =0.00
pctSystem =0.00
pctIowait =0.12

pctIdle = 99.88

SO it seems like the indexer doesn't get correct value.
As i checked, the data in the same server happens sometimes (sometimes get correct and doesn't correct next time.. something like that)

I would like the reason for it and what is the trigger.

Best regard
Chiaki

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Sounds like an issue with the sourcetype definitions. Maybe check if someone messed with the configuration files (specifically props.conf and transforms.conf) such that they deviate from what's on Splunkbase?

0 Karma

mattymo
Splunk Employee
Splunk Employee

What does your environment look like? Is it Standalone or distributed?

Can you share a screenshot of the events?

- MattyMo
0 Karma

Chiaki
New Member

Hi mmodestino

This issue occured in Production environment,
And our environment is distributed using "Clustered Indexer" and "Clusetred Search head".

I'm just trying to check way to share..please wait

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...