We are evaluating Splunk to provide central logging and to possibly replace our Zenoss monitoring tool. I've installed the *nix App but when I look at Interface Throughput I get a "No results found." error. I have already enabled interface monitoring on my remote Linux system (RHEL 5.6) and I can see events, however many of the fields appear to be empty.
Is the collection script on the client side not parsing the output correctly? Thank you.
The following is the search from the job inspector:
search index="os" sourcetype="interfaces" host=* | multikv fields name, inetAddr, RXbytes, TXbytes | streamstats current=f last(TXbytes) as lastTX, last(RXbytes) as lastRX by Name | eval time=_time | strcat Name "-" inetAddr "@" host Interface_Host | eval RX_Thruput_KB = (lastRX-RXbytes)/1024 | eval TX_Thruput_KB = (lastTX-TXbytes)/1024 | timechart eval(sum(TX_Thruput_KB)/dc(time)) by Interface_Host
It states that "the transforming commands in the highlighted portion of the following search:
timechart eval(sum(TX_Thruput_KB)/dc(time)) by Interface_Host
over the time range:
2/9/12 4:09:00.000 PM – 2/9/12 4:24:07.000 PM
generated no results."
It also spat out the following debug messages:
DEBUG: Specified field(s) missing from results: 'TX_Thruput_KB' DEBUG: base lispy: [ AND host::* index::os sourcetype::interfaces ] DEBUG: search context: user="admin", app="unix", bs-pathname="/opt/splunk/etc"
The interfaces.sh script has some problems that you can find in other answers:
http://splunk-base.splunk.com/answers/22690/getting-syntax-error-from-interfacessh-for-nix-app
Look there for the patch. You can test that this is the issue by running:
index="os" sourcetype="interfaces"
If I am right, there won't be any results.
Verdantjellis, just came across the same extra '.' on line 27:
CMD='ifconfig'.
After removing it, the script ran and my charts started to be generated.
Yes, I too ran across this. Still line 27. Take out the '.' (period) and it runs just fine and charts generate.
File (default install):
/opt/splunk/etc/apps/unix/bin/interfaces.sh
This occurs on CentOS 6.3:
2.6.32-279.1.1.el6.x86_64 #1 SMP Tue Jul 10 13:47:21 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
The interfaces.sh script has some problems that you can find in other answers:
http://splunk-base.splunk.com/answers/22690/getting-syntax-error-from-interfacessh-for-nix-app
Look there for the patch. You can test that this is the issue by running:
index="os" sourcetype="interfaces"
If I am right, there won't be any results.
bump - need more information to help you out 🙂
OK - what happens when you run the search above?
Actually, my original issue still remains, though, after fixing the interfaces.sh script. I still am unable to generate a chart of throughput with the same errors as above...
Glad to help. We will have this issue fixed in a forthcoming version of the app.
Thanks for the info, after doing some more research I figured out how to run the interfaces.sh script in debug mode and that's where I saw the error that the 'ifconfig.' command could not be found. There was a '.' put on the end of the command in the script and after removing that the command ran properly.