Troubleshoot the Splunk Add-on for Linux¶

General troubleshooting¶

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Cannot launch add-on¶

This add-on does not have views and is not intended to be visible in Splunk Web. If you are trying to launch or load views for this add-on and you are experiencing results you do not expect, turn off visibility for the add-on.

For more details about add-on visibility and instructions for turning visibility off, see Check if the add-on is intended to be visible or not in the Splunk Add-ons Troubleshooting topic.

Validate data collection¶

Validate the data inputs to make sure that you are ingesting the data you expect.

HEC:

Search

sourcetype=linux:collectd:http:json index=<collectd-source-index>

HEC with metrics data:

Search

mstats count(_value) where metric_name=* AND index=<metrics index name> by metric_name

TCP:

Search

sourcetype=linux:collectd:graphite index=<collectd-source-index>

AuditD:

Search

sourcetype=linux:audit index=<auditd-source-index>

The default search uses index="main".

Audit data not collected¶

Create a new TCP data input configuration and make sure the source type is set to to linux:audit.

If you are collecting audit data in a syslog source type using TCP, then you must assign the correct source type.

Add the following stanza to $SPLUNK_HOME/etc/apps/Splunk_TA_Linux/local:
```
[syslog]
TRANSFORMS-linux_syslog = linux_syslog_audit
```

Add the following stanza to $SPLUNK_HOME/etc/apps/Splunk_TA_Linux/local/props.conf:

[linux_syslog_audit]
DEST_KEY = MetaData:Sourcetype
REGEX = type=\S+\s+msg=audit
FORMAT = sourcetype::linux:audit

Restart Splunk.