Refine your search:

*nix App interfaces no results found

0

We are evaluating Splunk to provide central logging and to possibly replace our Zenoss monitoring tool. I've installed the *nix App but when I look at Interface Throughput I get a "No results found." error. I have already enabled interface monitoring on my remote Linux system (RHEL 5.6) and I can see events, however many of the fields appear to be empty.

Is the collection script on the client side not parsing the output correctly? Thank you.

The following is the search from the job inspector:

search index="os" sourcetype="interfaces" host=*   | multikv fields name, inetAddr, RXbytes, TXbytes   | streamstats current=f last(TXbytes) as lastTX, last(RXbytes) as lastRX by Name    | eval time=_time   | strcat Name "-" inetAddr "@" host Interface_Host   | eval RX_Thruput_KB = (lastRX-RXbytes)/1024   | eval TX_Thruput_KB = (lastTX-TXbytes)/1024   | timechart  eval(sum(TX_Thruput_KB)/dc(time)) by Interface_Host

It states that "the transforming commands in the highlighted portion of the following search:

timechart  eval(sum(TX_Thruput_KB)/dc(time)) by Interface_Host

over the time range:

2/9/12 4:09:00.000 PM – 2/9/12 4:24:07.000 PM

generated no results."

It also spat out the following debug messages:

DEBUG: Specified field(s) missing from results: 'TX_Thruput_KB'
DEBUG: base lispy: [ AND host::* index::os sourcetype::interfaces ]
DEBUG: search context: user="admin", app="unix", bs-pathname="/opt/splunk/etc"

asked 09 Feb, 17:09

verdantjellis's gravatar image

verdantjellis
211
accept rate: 0%

2 Answers:
oldestnewestmost voted
0

The interfaces.sh script has some problems that you can find in other answers:

http://splunk-base.splunk.com/answers/22690/getting-syntax-error-from-interfacessh-for-nix-app

Look there for the patch. You can test that this is the issue by running:

 index="os" sourcetype="interfaces"

If I am right, there won't be any results.

link

answered 09 Feb, 17:39

araitz's gravatar image

araitz ♦♦
7.1k2516
accept rate: 38%

1

Thanks for the info, after doing some more research I figured out how to run the interfaces.sh script in debug mode and that's where I saw the error that the 'ifconfig.' command could not be found. There was a '.' put on the end of the command in the script and after removing that the command ran properly.

(10 Feb, 08:05) verdantjellis

Glad to help. We will have this issue fixed in a forthcoming version of the app.

(10 Feb, 08:41) araitz ♦♦

Actually, my original issue still remains, though, after fixing the interfaces.sh script. I still am unable to generate a chart of throughput with the same errors as above...

(10 Feb, 08:56) verdantjellis

OK - what happens when you run the search above?

(10 Feb, 09:01) araitz ♦♦

bump - need more information to help you out :)

(13 Feb, 10:28) araitz ♦♦
0

Verdantjellis, just came across the same extra '.' on line 27: CMD='ifconfig'.

After removing it, the script ran and my charts started to be generated.

link

answered 28 Feb, 13:43

bluelip's gravatar image

bluelip
211
accept rate: 0%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×251
×207
×88

Asked: 09 Feb, 17:09

Seen: 428 times

Last updated: 28 Feb, 13:43

Related questions

Getting syntax error from interfaces.sh for *nix app

Seeing errors related to Unix (*NIX) app's interfaces.sh

Why does the Splunk Licensing Usage app always report "No results found"?

Does Splunk for *nix App support HPUX?

No results found using Web Intelligence app

*Nix App - Collecting data remotely from other host. Without installing Splunk on them

cant setup *nix app: Splunk cannot find "apps/local/unix/setup".

Not able to see the app Splunk TA for *nix in Splunk Home

Splunk setup with light forwarders and *nix App

Copyright © 2005-2012 Splunk, Inc. All rights reserved.