Thanks For Downloading!Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows: Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into Unix/Linux: Decompress the downloaded file using a tool like DescriptionSplunk for *nix provides pre-built data inputs, searches, reports, alerts and dashboards for Linux and Unix management. Now you can monitor, manage and troubleshoot *nix operating systems from one place with Splunk for *nix. Included are a set of scripted inputs for collecting CPU, disk, I/O, memory, log, configuration and user data. The app makes getting started with Splunk a breeze. Please refer to the official documentation here on docs.splunk.com. The current version of the app (4.5) is compatible with Splunk 4.2 and higher. If you are using Splunk 4.1.7 or earlier, please click on "show older versions >>" below to grab the previous 4.2 release. Versions and Release Notes
Version 4.5 (current version - updated Nov 07, 2011)
release notes:
**Compatible with Splunk 4.2 and higher**
Documentation! This app now has official Splunk documentation that will be maintained with every release of the app.
Many bug fixes.
New setup and first-time run tools.
Enhanced support for AIX.
Version 4.2.0
(updated Mar 15, 2011)
release notes:
- Updated to provide compatibility with Splunk 4.2
Version 4.1.4
(updated Jul 20, 2010)
Version 4.1.3
(updated Jun 16, 2010)
Version 4.1.2
(updated May 21, 2010)
Version 4.1
(updated Apr 05, 2010)
Version 4.0.10
(updated Mar 18, 2010)
Version 4.0.9
(updated Feb 26, 2010)
Version 1.2
(updated Jul 30, 2009)
Version 1.1
(updated Jul 30, 2009)
Version 1.0
(updated Jul 20, 2009)
|
Running version 4.5 on Splunk 4.3, many of the charts in this app are still Flash-based. It would be nice to see these converted to HTML5-based charts.
Scripts run slow, and reports are super-slow, cpu-bounded instead of disk-bounded.
For example, CPU usage per process report, last 7 days, one machine, takes minutes to complete in a 4-core CPU machine, 4 GB RAM, linux.
In rought numbers, extract, parse, and sum numbers of ~10k events produced by the ps scripted input took about 7 minutes (given ps.sh is executed every minute 60x24x7=10080).
Using vmstat,iostats and top shows splunkd is eating two cores, but there is very few disk activity.
any hint to diagnose why is this slow?
On the ps.sh script, is there a reason the start_time was not added to the output? It would be most helpful to know the start time of a process.
In the future, please use answers rather than reviews for questions/comments :)
I don't know the original reason, but I will look in to adding in in a future release of the app.
To know the start time of the process, take the time ps.sh event was generated, and subtract "process elapsed time".
/opt/splunk/etc/apps/unix/bin/interfaces.sh contains a typo in line number 27:
CMD='ifconfig'.
causes "command not found errors", see also message from tikums, 09 Nov 11. Removing the trailiing dot will fix the problem.
CMD='ifconfig'
Agreed, found the symptom via Splunk On Splunk, hoping this fixes it :)
Running Ubuntu 10.04.03 LTS on Citrix Xenserver and Hyper-V. Neither of these provides speed or duplex settings within dmesg. It's not a matter of changing the pattern, the information, just isn't there.
Ethtool only displays a link status, so perhaps this information is not available for the virtual network drivers?
The fixes above for awk fixed the syntax errors, so that is working nicely now. Thanks @wfroning
Can you guys or this app monitor user activities with in Linux environments and the commands that they used ??
That app doesn't do this explicitly, but you might get some user activities and commands through the top/ps/prstat inputs.
If Splunk is running as root and a modern shell like BASH is in use, it is possible to monitor each user's history file in their home directory to keep a record of what commands each user ran.
I will mark that down as an enhancement request for the next version of the app - tracking it as SPL-46559.
Just like others have mentioned, their are a couple bugs in the interfaces.sh script. Besides the trailing period on CMD the awk lines for getting the speed and duplex of the interface needed some fix up on my ubuntu server.
--- interfaces.sh_orig 2011-12-06 12:00:59.000000000 +0400
+++ interfaces.sh 2011-12-06 12:01:48.000000000 +0400
@@ -24,7 +24,7 @@
assertHaveCommand dmesg
CMD_LIST_INTERFACES="eval ifconfig | tee $TEE_DEST | grep 'Link encap:Ethernet' | tee -a $TEE_DEST | cut -d' ' -f1 | tee -a $TEE_DEST"
- CMD='ifconfig'.
+ CMD='ifconfig'
GET_MAC='{NR == 1 && mac = $5}'
GET_IPv4='{if ($0 ~ /inet addr:/) {split($2, a, ":"); IPv4 = a[2]}}'
GET_IPv6='{$0 ~ /inet6 addr:/ && IPv6 = $3}'
@@ -38,8 +38,8 @@
for iface in `$CMD_LIST_INTERFACES`
do
# ethtool(8) would be preferred, but requires root privs; so we use dmesg(8), whose [a] source can be cleared, and [b] output format varies (so we have less confidence in parsing)
- SPEED=`dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'$iface'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/, array)) {print array[1] "Mb/s"} else { if (match($i,/[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d'`
- DUPLEX=`dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'$iface'/ {for (i=1; i<=NF; ++i) {if (match($i, /([\-\_a-zA-Z0-9]+)([Dd]uplex)/, array)) {print array[1]} else { if (match($i, /[Dd]uplex/)) {print $(i-1)} } } }' | sed 's/[-_]//g; $!d'`
+ SPEED=`dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'$iface'/ {for (i=1; i<=NF; ++i) {if (match($i, /([0-9]+)([Mm]bps)/)) {pattern = substr($i,RSTART,RLENGTH); print pattern "Mb/s"} else { if (match($i,/[Mm]bps/)) {print $(i-1) "Mb/s"} } } }' | sed '$!d'`
+ DUPLEX=`dmesg | awk '/[Ll]ink( is | )[Uu]p/ && /'$iface'/ {for (i=1; i<=NF; ++i) {if (match($i, /([\-\_a-zA-Z0-9]+)([Dd]uplex)/)) {pattern = substr($i,RSTART,RLENGTH); print pattern} else { if (match($i, /[Dd]uplex/)) {print $(i-1)} } } }' | sed 's/[-_]//g; $!d'`
$CMD $iface | tee -a $TEE_DEST | awk "$GET_ALL $FILL_BLANKS $PRINTF" name=$iface speed=$SPEED duplex=$DUPLEX
echo "Cmd = [$CMD $iface]; | awk '$GET_ALL $FILL_BLANKS $PRINTF' name=$iface speed=$SPEED duplex=$DUPLEX" >> $TEE_DEST
done
Yes, we weren't able to get to fixing the interfaces.sh script for ubuntu, but your work above should help. Thanks!
FYI, the new versions of the app are NOT compatible with old versions of splunk (like 4.1.*) and will cause splunkweb to fail. Please use the old versions of the app, or upgrade your splunk.
Good call yann, I updated the version compatibility for the latest release in a few places.
On Centos 6:
11-09-2011 09:15:31.878 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/unix/bin/interfaces.sh" /opt/splunk/etc/apps/unix/bin/interfaces.sh: line 43: ifconfig.: command not found
The user that is running Splunk does not have ifconfig in its path. Run the following command to verify:
which ifconfig
To fix, simply add directory that ifconfig is in to the user's PATH environment variable.
This is a bug in interfaces.sh, not a path problem. Notice that ifconfig has a period after it. Here's a patch:
27c27
< CMD='ifconfig'.
---
> CMD='ifconfig'
Thanks, not sure how that was missed :D
Feature Request: Please expanded rlog.sh to cover Solaris 10 auditd created logs. They are binary and can be viewed with praudit -l (1 line per record) or praudit -r (raw). Otherwise, tool looks very cool.
Glad to see support for Splunk 4.x, and also that top.sh has the equivalent Solaris 10 command, prstat.
Brian Jester
I will add this to the queue for the next release of the app. Unfortunately I did not see this prior to working on 4.5.
