Is there a detailed list of collected data that Splunk add-on for unix and linux collects?
I found this: documentation but it is not so detailed.
For example what does means TCPrexmits (sourcetype=protocol)?
Is this Add-on collect also how many packets have been retransmitted?
Thanks
No, there is no other documentation available for the details of the data collected by the unix and linux add-on.
Meaning of each field for the sourcetype protocol is as below
If you want to understand the meaning of fields for other sourcetypes, like SloshBurch said you will have to understand the script of that sourcetype.
And for the data collection of the packets re-transmitted, as per my knowledge only TCPrexmits field of sourcetype protocol contains that data.
(What follows is an incomplete answer)
No such detailed list appears to exist. Here's some advise that can help, but you'll see why it is incomplete soon enough.
Based on the banner messages in the link you shared, I suggest this page instead Splunk Add-on for Unix and Linux and Source types for the Splunk Add-on for Unix and Linux
The way I would answer your question is to look at what unix command is being used for that sourcetype and check that unix command's man page for the elaboration on what the field represents.
Annoyingly, in the example you provided, it appears the TCPrexmits
is a row header produced by the protocol.sh
and not actually defined within the unix command. I can't tell from the script what that field name is meant to represent. As such, this is something I'm discussing with folks internally....but no promises.
BTW: Merely reading the field name TCPrexmits
, I believe it's shorthand for: TCP retransmits. So I guess the number of times packets had to be resent? I'm also being told it could map to the re-transmission timeout.