All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

nmon2csv.pl not running?

pverbruggen2
New Member
‎12-03-2014 12:32 AM

Hi,

We installed the NMON app on our indexer/searchhead and the TA on one of our universal forwarders running AIX (no Python installed). We checked and rechecked the configuration but can't seem to get any data in index=nmon except this:

12/2/14 7:51:27.000 PM starting nmon : /usr/bin/nmon -f -T -A -d -K -L -M -P -^ -s 10 -c 6 in /opt/splunkforwarder/etc/apps/TA-nmon/var/nmon_temp

There is data in the directory TA-nmon/var/nmon-temp and TA-nmon/var/nmon_repository, but never in var/csv_repository. Also, the var/spool directory does not get created until I manually start the script from the bin directory: "cat .nmon | nmon2csv.pl". At that point the csv_repository directory is populated with files and those are correctly indexed.

We have the standard inputs.conf and props.conf (except for the nmon2csv.pl instead of nmon2csv.py) and we can't install Python on the AIX machine, not even for testing.

Any help would be greatly appreciated!

Thanks, Peter

0 Karma
Reply

guilmxm
Influencer
‎12-03-2014 01:11 AM

Sometimes it seems splunk has some difficulties on AIX with props rex matching and paths using variables.

Can you please try:

On the UF (or on the deploy server if you are using one), create a local/props.conf that will contains:

[source::/opt/splunkforwarder/etc/apps/TA-nmon/var/nmon_repository/*.nmon]

invalid_cause = archive
unarchive_cmd = /opt/splunkforwarder/etc/apps/TA-nmon/bin/nmon2csv.pl
sourcetype = nmon_processing
NO_BINARY_CHECK = true

Restart the UF and check sourcetype content in the indexer:

index=non earliest="0" latest="now" | stats count by sourcetype

One question, when you manually run the "nmon2csv.pl", it generates the csv data in csv_repository and config_repository, you say it is then indexed as expected, so you have data in "nmon_data" sourcetype and "nmon_config" right ?

If not, try creating a local/inputs.conf and replace the call to $SPLUNK_HOME by the full path, and restart

0 Karma
Reply

guilmxm
Influencer
‎12-03-2014 01:00 AM

Hello Peter,

I will be pleased to help solve the problem.

Can we exchange by mail ? You can contact me through the App Home Page. (i'm the author of the Nmon App)

Thanks.

Guilhem

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...