Splunk indexer (version 6.3.0) is installed and forwarder(6.2.1) is configured, can search for data with query index=os sourcetype="cpu" under search tab of Splunk App for Unix app. However under host tab it is mentioned as "unknown - is cpu.sh enabled?" and no data available. The app is in enabled status under manage app tab. Did anyone face this issue, please share your comments.
Sounds like you might be peeking at the Data Summary button on a blank Search screen.
If I remember correctly, that is going to show details on the indexes your ID searches by default. Since you likely need to put index=os
into a search to get that data, it won't appear on that table.
You can workaround this though, that table just runs the metadata
command, so you could take a step into your Splunk Ninja training by trying your hand at:
| metadata index=* type=sourcetypes
Learn more at Search Reference: metadata
can you share the inputs.conf under the nix TA? is the cpu.sh enabled on the forwarder?
inputs.conf part represent as follow
[script://./bin/cpu.sh]
sourcetype = cpu
source = cpu
interval = 30
index = os
disabled = 0
Also i found that the cpu.sh is enabled on the forwarder
*** Splunk> nix command-line setup > SHOW INPUT STATUS **
Scripted Inputs:
0) /$SPLUNK_HOME/splunkforwarder/etc/apps/Splunk_TA_nix/bin/bandwidth.sh
enabled: *** disabled: interval: 60
1) /$SPLUNK_HOME/splunkforwarder/etc/apps/Splunk_TA_nix/bin/cpu.sh
enabled: *** disabled: interval: 30
Under the host tab the data is not only showing for cpu.sh but also for other informations like df,vmstat etc....but to my wonder if i query directly ex: index=os and sourcetypr=df or vmstat, under the search tab all data is available to the latest from all of the hosts. Hence i believe the data is received at the indexer but not processed by the app. Can it be the case?
if you see the data, then this might be the case, look for permission of saerching indexes by default.
many times, apps use sourcetypes as search without indicating an index. if the os index is not searched by default, the panel will not populate.
go to settings -> access controls -> roles -> your role -> scroll down -> add os index to indexes searched by default
Thanks for your efforts and information,for sure i can verify your suggestion.
By the way, i am finding some errors printed n splunkd.log in the splunk indexer instance which mentions about the time parsing. After installing splunk app for unix should there be any time parsing configuration need to be done for the inputs received?
The errors are printed as follows:
04-26-2017 00:36:01.682 +0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Mon Aug 8 00:13:09 2016). Context: source::ps|host::XXXXXX|ps|24272
04-26-2017 00:37:01.523 +0400 WARN DateParserVerbose - Accepted time (Thu Oct 27 17:33:59 2016) is suspiciously far away from the previous event's time (Tue Apr 25 16:16:42 2017), but still accepted because it was extracted by the same pattern. Context: source::lastlog|host::XXXXXX|lastlog|24275\n 315 similar messages suppressed. First occurred at: Wed Apr 26 00:31:31 2017
04-26-2017 00:37:01.523 +0400 WARN DateParserVerbose - Accepted time (Sun Feb 26 18:20:27 2017) is suspiciously far away from the previous event's time (Mon Sep 28 12:43:48 2015), but still accepted because it was extracted by the same pattern. Context: source::lastlog|host::XXXXXX1|lastlog|24275
can there be any case that the data cannot be pulled and displayed in app dashboard if time parsing is failing?
please check this doc about sysstat and troubleshooting here:
http://docs.splunk.com/Documentation/UnixApp/5.2.2/User/TroubleshoottheSplunkAppforUnixandLinux