Solved: Splunk add-on for Unix and Linux - netstat, logs f...

faustf · ‎03-14-2017

Hi guys,
I installed the Splunk App for Unix and Linux and the Splunk Add-on for Unix and Linux.

I've a problem with the sourcetype = netstat . The fields of these events aren't automatically extracted.
If I search (in verbose mode): "index=os sourcetype=netstat" this is the result:

As you can see the fields: "Proto Recv-Q Send-Q LocalAddress ForeignAddress State" are not extracted.

Instead, if I search (in verbose mode): "index=os sourcetype=iostat" this is the result is fine:

Thanks

faustf · ‎03-15-2017

I've just figured out that that this is a duplicated post
The solution is to use the | multikv command in the query:

index=os sourcetype=netstat | multikv

View solution in original post

mgaudie_splunk · ‎07-03-2019

To make this automatic, you can add the following to your props.conf on the search head:

[netstat]
KV_MODE = multi

mikaellindstrom · ‎09-10-2019

I know this is an answered ticket but shouldn't it be fixed in the add-on so that it's automatically available to anyone without doing any manual configuration changes?

faustf · ‎03-15-2017

I've just figured out that that this is a duplicated post
The solution is to use the | multikv command in the query:

index=os sourcetype=netstat | multikv

vumanhtai · ‎12-04-2017

yeah! i like your command

amielke · ‎03-14-2017

We have the similar problem, check that the package sysstat is installed at the operation system.

faustf · ‎03-15-2017

I checked and the sysstat package was already installed, also there are statistical logs in /var/log/sa/

The OS is Centos 6.8

amielke · ‎03-14-2017

Which distribution is it?

faustf · ‎03-14-2017

Splunk Enterprise Server 6.5.2
Splunk App for Unix splunk_app_for_nix 5.2.2
Splunk Add-on for *Nix Splunk_TA_nix 5.2.3

Splunk add-on for Unix and Linux - netstat, logs fields not extracted

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!