All Apps and Add-ons

Splunk add-on for unix and linux detailed list of collected data

faustf
Communicator

Is there a detailed list of collected data that Splunk add-on for unix and linux collects?
I found this: documentation but it is not so detailed.
For example what does means TCPrexmits (sourcetype=protocol)?
Is this Add-on collect also how many packets have been retransmitted?

Thanks

0 Karma

fbhoraniya_splu
Splunk Employee
Splunk Employee

No, there is no other documentation available for the details of the data collected by the unix and linux add-on.

Meaning of each field for the sourcetype protocol is as below

  • IPdropped - Outgoing packets dropped
  • TCPrexmits - Segments retransmitted
  • TCPreorder - Detected reordering
  • TCPpktRecv - Segments received
  • TCPpktSent - Segments send out
  • UDPpktLost - UDP Packet receive errors
  • UDPunkPort - UDP Packets to unknown port received
  • UDPpktRecv - UDP Packets received
  • UDPpktSent - UDP Packets Sent

If you want to understand the meaning of fields for other sourcetypes, like SloshBurch said you will have to understand the script of that sourcetype.

And for the data collection of the packets re-transmitted, as per my knowledge only TCPrexmits field of sourcetype protocol contains that data.

sloshburch
Splunk Employee
Splunk Employee

(What follows is an incomplete answer)

No such detailed list appears to exist. Here's some advise that can help, but you'll see why it is incomplete soon enough.

Based on the banner messages in the link you shared, I suggest this page instead Splunk Add-on for Unix and Linux and Source types for the Splunk Add-on for Unix and Linux

The way I would answer your question is to look at what unix command is being used for that sourcetype and check that unix command's man page for the elaboration on what the field represents.

Annoyingly, in the example you provided, it appears the TCPrexmits is a row header produced by the protocol.sh and not actually defined within the unix command. I can't tell from the script what that field name is meant to represent. As such, this is something I'm discussing with folks internally....but no promises.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

BTW: Merely reading the field name TCPrexmits, I believe it's shorthand for: TCP retransmits. So I guess the number of times packets had to be resent? I'm also being told it could map to the re-transmission timeout.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...