Skip to content

About the Splunk Add-on for Unix and Linux
Version 10.0.0
Vendor products All supported Unix operating systems. See Documentation.
Add-on has web UI Yes. This add-on contains views for configuration.

The Splunk Add-on for Unix and Linux allows a Splunk software administrator to collect data from Unix and Linux hosts. Install the Splunk Add-on for Unix and Linux on a forwarder to send data from any number of hosts to a Splunk Enterprise indexer or group of indexers. You can also use the add-on to provide data for other apps, such as Splunk IT Service Intelligence (ITSI) or Splunk Enterprise Security.

File Monitoring Inputs

The Splunk Add-on for Unix and Linux collects the following data using file inputs:

  • Monitoring /etc directory
  • Monitoring /var/log directory
  • Monitoring /home/*/.bash_history directory
  • Monitoring /root/.bash_history directory
  • Monitoring /var/adm directory
  • Monitoring /Library/ Logs

Scripted Inputs

The add-on collects data with the following scripted inputs:

Input Description
bandwidth.sh Network statistics via the shell commands dlstat, netstat, and sar
cpu.sh CPU statistics via the shell commands sar, mpstat, and iostat
cpu_metric.sh CPU statistics and OS info via the shell commands hostname, ifconfig, uname, sar, mpstat, and iostat
df.sh Free disk space for each mount point via the shell commands df, mount, and fstyp
df_metric.sh Statistics of free disk space for each mount point and OS info via the shell commands hostname, ifconfig, uname, df, mount, and fstyp
hardware.sh Hardware information via the shell commands cpuinfo, df, dmesg, hwinfo, ifconfig, ioscan, iostat, ip, lanscan, lsattr, lscfg, lsdev, lsps, lspv, meminfo, mpstat, prtconf, prtdiag, sysctl, system_profiler, swap, swapinfo, and top
interfaces.sh Configured network interfaces via the shell commands dmesg, ethtool, ifconfig, kstat, lanscan, lanadmin, and netstat
interfaces_metric.sh Statistics of configured network interfaces and OS info via the shell commands hostname, ifconfig, uname, dmesg, ethtool, ifconfig, kstat, lanscan, lanadmin, and netstat
iostat.sh Input/output statistics for block devices and partitions via the shell commands darwin_disk_stats, iostat, and sar
iostat_metric.sh Statistics of Input/output statistics for block devices and partitions and OS info via the shell commands hostname, ifconfig, uname, darwin_disk_stats, iostat, and sar
lastlog.sh Last login times for system accounts via the shell commands last and lastb
lsof.sh Process information via the shell command lsof
netstat.sh Network connections, routing tables, and network interface information via the shell command netstat
nfsiostat.sh Collects NFS mounts data via the shell command nfsiostat. Requires the nfs-utils package.
openPorts.sh Available network ports via the shell command netstat
openPortsEnhanced.sh TCP/UDP ports in a listening state, and information on process, process ID, IP version, and so on. via the shell commands lsof, and netstat
package.sh Lists installed software packages via the shell commands dpkg-query, pkginfo, pkg_info, pkg info, system_profiler, and swlist
passwd.sh Shows username and associated user ID, user group ID, and shell
protocol.sh TCP/UDP transfer statistics via the shell commands netstat or nstat
ps.sh Status of current running processes via the shell command ps
ps_metric.sh Statistics of the status of currently running processes and OS info via the shell command hostname, ifconfig, uname, and ps
rlog.sh Linux Auditing System events information recorded in /var/log/audit/audit.log by auditd
selinuxChecker.sh Parses /etc/sysconfig/selinux to check if SELinux is configured
service.sh Running services and associated details via the shell commands chkconfig, dscl, svcs, and systemctl
sshdChecker.sh Parses sshd_config for information local sshd configurations
time.sh System date and time, and NTP server time via the shell commands and chronyc, date and ntpdate
top.sh List of running system processes via the shell commands ps and top
update.sh Available software updates for installed packages via the shell commands softwareupdate, yum and zypper
uptime.sh System date and uptime information via the shell command date
usersWithLoginPrivs.sh Shows system username information
version.sh OS/kernel version details via the shell commands uname, sw_vers, oslevel and from /etc/*-release file.
vmstat.sh Process-related memory usage information via the shell commands prstat, prtconf, ps, sar, svmon, swap, swapinfo, sysctl, top, uptime, and vmstat
vmstat_metric.sh Statistics of process-related memory usage information and OS info via the shell commands hostname, ifconfig, uname, prstat, prtconf, ps, sar, svmon, swap, swapinfo, sysctl, top, uptime, and vmstat
vsftpdChecker.sh Parses vsftpd.conf for information about local VSFTP server configurations in /etc, /etc/vsftpd, or /private/etc
who.sh Information about all users currently logged in via the shell command who

The add-on displays question marks (“?”) for blank fields that the scripted inputs return within individual events. This is expected behavior to preserve field spacing.

Download the Splunk Add-on for Unix and Linux from Splunkbase.

For a summary of new features, fixed issues, and known issues, see Release notes for the Splunk Add-on for Unix and Linux.

For information about installing and configuring the Splunk Add-on for Unix and Linux, see Installation and configuration overview for the Splunk Add-on for Unix and Linux.

See Splunk Community page for questions related to Splunk Add-on for Unix and Linux on Splunk Answers.

Overview

Source types for the Splunk Add-on for Unix and Linux

The Splunk Add-on for Unix and Linux provides the index-time and search-time knowledge for *nix events, metadata, user and group information, collaboration data, and tasks in the following formats:

Source type Description CIM data models
aix_secure The AIX security log file Authentication
auditd Auditd logs translated with ausearch n/a
bandwidth Network statistics Performance
bash_history A list of commands previously used in a bash shell n/a
config_file Configuration file information n/a
cpu CPU state information Performance
cpu_metric Statistical information of CPU n/a
df Available disk space on mounted volumes Performance
df_metric Statistical information of available disk space on mounted volumes n/a
dhcpd Dynamic Host Control Protocol (DHCP) daemon information Network Sessions
fs_notification File system notification changes Endpoint
hardware Hardware specifications Inventory
interfaces Network interface information Inventory
interfaces_metric Statistical information of network interface n/a
iostat Input/Output operation information Performance
iostat_metric Statistical information of input/output operation n/a
lastlog Last login times for system accounts n/a
linux_audit The Linux audit log file Authentication, Change
Linux:SELinuxConfig SELinux host configuration information n/a
linux_secure The Linux security log file Authentication, Network Sessions, Change
lsof A list of the open files on a host n/a
netstat The state of the network (open/listening ports, connections, and so on) on a host Endpoint
nfsiostat Collects NFS mounts data Performance
openPorts A list of the open ports on a host n/a
osx_secure The security log file for Mac OS X n/a
package A list of installed packages n/a
protocol Network protocol stack information n/a
ps Process information Performance
ps_metric Process statistical information n/a
time Time service information n/a
top Process and system resource information n/a
Unix:CPUTime Statistics about the amount of time the CPU dedicated to specific processes Performance
Unix:ListeningPorts Network ports that the OS is listening on n/a
Unix:Service Unix service information Endpoint
Unix:SSHDConfig Local sshd configuration information n/a
Unix:Update A list of software updates for installed packages n/a
Unix:Uptime System date and uptime information Performance
Unix:UserAccounts User account information Inventory
Unix:Version OS version information Inventory
Unix:VSFTPDConfig Local VSFTP server configuration information n/a
usersWithLoginPrivs Users with elevated login privileges n/a
vmstat Virtual memory information Performance
vmstat_metric Virtual memory statistical information n/a
who All users currently logged in n/a

Release notes for the Splunk Add-on for Unix and Linux

Version 10.0.0 of the Splunk Add-on for Unix and Linux was released on July 12, 2024.

Compatibility

Version 10.0.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 9.1.x, 9.2.x, 9.3.x, 9.4.x
CIM 4.20.2
Supported OS for data collection All supported Unix operating systems. See Unix operating systems.
Vendor products All supported Unix operating systems. See Unix operating systems.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 10.0.0 of the Splunk Add-on for Unix and Linux has the following new features:

  • Support for new vendor product Rocky Linux OS
  • Support for new vendor product AlmaLinux OS
  • Support newer version v13.3 of FreeBSD OS
  • Added CIM support of ssh logs generated by OpenSSH >9.8 in linux_secure sourcetype. SSH logs in linux_secure were previously mapped to the Authentication data model, but they will now be mapped to the Network Sessions data model.
  • TA now extracts IPv6 values as well in “Received Disconnect” sshd log
  • Added new extractions for “proctitle” and “execve_command” for Linux kernels in audit logs
  • Added DURATION field in lastlog sourcetype that corresponds to the lastlog.sh script
  • Updated SAR, MPSTAT and TOP command parameters in cpu.sh and cpu_metric.sh for Linux, Darwin and AIX kernels to address the issue of momentary spikes of higher utilization when invoked compared to previous major version of Splunk. The scripts will output 5 reports by default at an interval of 2 seconds. Thus, the script execution will last for 10 seconds. Customers can set the script interval to 10 seconds in order to monitor their linux machines continuously.

Bug fixes

Version 10.0.0 of the Splunk Add-on for Unix and Linux has the following bugfixes:

  • Fixed an issue where version.sh script was showing kernel information instead of OS information in os_* field. Corrected the values for os_nane, os_version and os_release fields accross all the supported OSs. Also, added 3 new fields, namely kernel_name, kernel_release and kernel_version having kernel related information.

Fixed issues

Version 10.0.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Known issues

Version 10.0.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Release history for the Splunk Add-on for Unix and Linux

The latest version of the Splunk Add-on for Unix and Linux is version 10.0.0. See Release notes for the Splunk Add-on for Unix and Linux for release notes of this latest version.

Version 9.2.0

Version 9.2.0 of the Splunk Add-on for Unix and Linux was released on July 12, 2024.

Compatibility

Version 9.2.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 9.0.x, 9.1.x, 9.2.x
CIM 4.20.2
Supported OS for data collection All supported Unix operating systems. See Unix operating systems.
Vendor products All supported Unix operating systems. See Unix operating systems.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 9.2.0 of the Splunk Add-on for Unix and Linux has the following new features:

  • Support for macOS Ventura 13
  • Support for macOS Sonoma 14
  • Support for OEL 8
  • Support of IPv6 data collection
  • Support for non-english locales in rlog script
  • Restricted monitoring of temporary files in /etc/ and /var/adm/
  • Enhanced hardware script to fetch required data when dmesg is restricted
  • Added user,user_id,src_user_id field extraction as per new format in linux logs Added explicit timestamp extraction for linux_audit* sourcetype

Bug fixes

  • Fixed awk error for selinuxChecker script
  • Fixed inconsistent app field values for linux_secure sourcetype
  • Fixed regex error for update script
  • Fixed the issue with the output format while using non-english locales

Fixed issues

Version 9.2.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Known issues

Version 9.2.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 9.1.0

Version 9.1.0 of the Splunk Add-on for Unix and Linux was released on May 30, 2024.

Compatibility

Version 9.1.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 9.1.x, 9.2.x, 9.3.x, 9.4.x
CIM 4.20.2
Supported OS for data collection All supported Unix operating systems. See Unix_operating_systems.
Vendor products All supported Unix operating systems. See Unix_operating_systems.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 9.1.0 of the Splunk Add-on for Unix and Linux has the following new features:

  • Updated the lsof script for compatibility with the latest version.

Bug fixes

  • Fixed wrong time stamp extraction for auditd sourcetype

Fixed issues

Version 9.1.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Known issues

Version 9.1.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Date filed Issue number Description
2024-03-19 ADDON-69658 cpu.sh shows momentary spikes of higher utilization when invoked compared to previous major version
2022-06-24 ADDON-53138 [PUBLIC] [Nix] cpu, cpu_metric scripts report higher CPU usage on Splunk 9.x

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 9.0.0

Version 9.0.0 of the Splunk Add-on for Unix and Linux was released on October 28, 2023.

Compatibility

Version 9.0.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 9.0.x, 9.1.x
CIM 4.20.2
Supported OS for data collection All supported Unix operating systems. See Unix_operating_systems
Vendor products All supported Unix operating systems. See Unix_operating_systems

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 9.0.0 of the Splunk Add-on for Unix and Linux has the following new features:

  • Support for a new linux OS, SUSE Linux Enterprise Server version 15SP5.

Bug fixes

  • Fixed extraction of src_ip field for linux_secure source_type.
  • Fixed breaking of field values, column values have whitespace for userswithloginprivs sourcetype.
  • Fixed issue where the user was getting redirected to the add-on setup page while editing Knowledge Objects on the Splunk Cloud Platform. Users will now be able to edit the Knowledge Objects on the Splunk Cloud Platform after selecting Click me! on the add-on setup page.
  • Fixed column truncating issue for lsof and openPortsEnhanced scripted input by adding “+c 0” in lsof command.

Fixed issues

Version 9.0.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Known issues

Version 9.0.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.10.0

Version 8.10.0 of the Splunk Add-on for Unix and Linux was released on June 14, 2023.

Compatibility

Version 8.10.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 8.1.x, 8.2.x, 9.0.x
CIM 4.20.2
Supported OS for data collection All supported Unix operating systems. See Unix_operating_systems
Vendor products All supported Unix operating systems. See Unix_operating_systems

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.10.0 of the Splunk Add-on for Unix and Linux has the following new features:

  • Support for AIX 7.3 and RHEL 9.2.
  • Added a new dimension, IPv6_address, to the interfaces_metric, df_metric and ps_metric source types which contains the global IPv6 information of the monitored host.

Fixed issues

Version 8.10.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Known issues

Version 8.10.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.9.0

Version 8.9.0 of the Splunk Add-on for Unix and Linux was released on April 17, 2023.

Compatibility

Version 8.9.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 8.1.x, 8.2.x, 9.0.x
CIM 4.20.2
Supported OS for data collection All supported Unix operating systems. See Unix_operating_systems
Vendor products All supported Unix operating systems. See Unix_operating_systems

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.9.0 of the Splunk Add-on for Unix and Linux has the following new features:

  • Support for MacOS 13.2.
  • Enhanced cpu and cpu_metric.sh script for AIX to incorporate new fields.
  • Enhanced cpu and cpu_metric.sh script for AIX such that it can be run by users without root access.

Fixed issues

Version 8.9.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Known issues

Version 8.9.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.8.0

Version 8.8.0 of the Splunk Add-on for Unix and Linux was released on January 24, 2023.

Compatibility

Version 8.8.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 8.1.x, 8.2.x, 9.0.0
CIM 4.20.2
Supported OS for data collection All supported Unix operating systems. See Unix_operating_systems
Vendor products All supported Unix operating systems. See Unix_operating_systems

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.8.0 of the Splunk Add-on for Unix and Linux has the following new features:

Fixed issues

Version 8.8.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Known issues

Version 8.8.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.7.0

Version 8.7.0 of the Splunk Add-on for Unix and Linux was released on July 26, 2022.

Compatibility

Version 8.7.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 8.1.x, 8.2.x, 9.0.0
CIM 4.20.2
Supported OS for data collection All supported Unix operating systems. See Unix_operating_systems
Vendor products All supported Unix operating systems. See Unix_operating_systems

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.7.0 of the Splunk Add-on for Unix and Linux has the following new features:

  • Enhanced df, interfaces and ps scripts to make the add-on more robust and efficient across various operating systems.
  • Support for RHEL v8.6 and RHEL v9.
  • Breaking Change: For ps and ps_metric scripts, ELAPSED and PSR were removed from kernel outputs except for AIX and SunOS as part of v8.7.0.

For more information on the enhanced scripts, see the Reference Section.

Bug fixes

  • Fixed the issue where events were breaking when forwarded from UF via the httpout method.
  • Fixed the issue where package.sh throws awk regular expression syntax error.
  • Fixed the issue where df_metric.sh script gave erroneous output when a hyphen character ‘-’ is present in the IUse% field.

Fixed issues

Version 8.7.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Known issues

Version 8.7.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.6.0

Version 8.6.0 of the Splunk Add-on for Unix and Linux was released on July 1, 2022.

Compatibility

Version 8.6.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 8.1.x, 8.2.x, 9.0.0
CIM 4.20.2
Supported OS for data collection All supported Unix operating systems. See Unix_operating_systems
Vendor products All supported Unix operating systems. See Unix_operating_systems

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.6.0 of the Splunk Add-on for Unix and Linux has the following new features:

  • Enhanced iostat scripts to make the add-on more robust and efficient across various operating systems.
  • Support for cpu.sh and cpu_metric.sh script on macOS > v10.11.
  • Support for update.sh script on Ubuntu OS.
  • Support for Ubuntu OS v22.04.
  • Support for macOS v12.4.

For more information on the enhanced iostat scripts, see the Reference Section.

Bug fixes

  • Fixed the issue with df.sh not extracting type field correctly on AIX operating systems when file systems names are long.
  • Removed extractions for deprecated fs_notification sourcetype.
  • Fixed the issue with df_metric.sh not generating output as expected when the output of command misses certain fields or contains an empty row.
  • Renamed setup.env_cloud.xml to ta_nix_configuration.env_cloud.xml to avoid errors on Splunk Cloud while updating permissions.
  • Fixed the issue with hardware.sh displaying errors when there are disks with no volume groups attached on AIX operating systems.
  • Fixed the issue with the hardware.sh displaying errors when there are disks part of an inactive volume group on AIX operating systems.

Fixed issues

Version 8.6.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Known issues

Version 8.6.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.5.0

Version 8.5.0 of the Splunk Add-on for Unix and Linux was released on April 21, 2022.

Compatibility

Version 8.5.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 8.1.x, 8.2.x
CIM 4.20.2
Supported OS for data collection All supported Unix operating systems. See Unix_operating_systems
Vendor products All supported Unix operating systems. See Unix_operating_systems

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.5.0 of the Splunk Add-on for Unix and Linux has the following new features:

  • Support for Least Privilege Mode functionality of the Splunk Universal Forwarder
  • Support for the latest flavors of Unix/Linux (RHEL 8.5 and MacOS 12.2)
  • Updated the logic in ‘iostat.sh’ and ‘iostat_metric.sh’ scripts to calculate ‘avgWaitMillis’ when ‘await’ is missing from the output of the raw command

  • Added 6 new fields in ‘iostat.sh’ and ‘iostat_metric.sh’ for Linux kernels:

    • rAvgWaitMillis (Read request processing wait time)
    • wAvgWaitMillis (Write request processing completion wait time)
    • rrqmPct (The percentage of read requests merged together before being sent to the device)
    • wrqmPct (The percentage of write requests merged together before being sent to the device)
    • rAvgReqSZkb (Average read request size in KB)
    • wAvgReqSZkb (Average write request size in KB)

Bug fixes

  • Fixed output of nfsiostat.sh script for Ubuntu 20.04

Fixed issues

Version 8.5.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Known issues

Version 8.5.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.4.0

Version 8.4.0 of the Splunk Add-on for Unix and Linux was released on December 07, 2021.

Compatibility

Version 8.4.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 8.1.x, 8.2.x
CIM 4.20.2
Supported OS for data collection All supported Unix operating systems. See Unix_operating_systems
Vendor products All supported Unix operating systems. See Unix_operating_systems

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.4.0 of the Splunk Add-on for Unix and Linux has the following new features:

  • Support for the latest vendor products of Nix (RHEL 8.4, Ubuntu 21.04, FreeBSD 13, and macOS 11.6)
  • Support for INode fields of all the OSs in the ‘df’ and ‘df_metric’ scripts’ output
  • Support for the latest CIM version (4.20.2)_ Added ‘user_name’ and ‘src_user_name’ fields to the ‘linux_secure’ and ‘linux_audit’ sourcetypes *Reinstated the ‘process’ tag for the ‘top’ and ‘ps’ eventtypes

Bug fixes

  • Fixed the normalisation issue for the ‘pctCPU’ and ‘pctMEM’ fields when value is either <0 or >100 in output of ‘ps’ and ‘ps_metric’ scripts.
  • Fixed the issue in ‘iostat’ and ‘iostat_metric’ scripts to support the latest version of the sysstat package.
  • Fixed the field extraction where the value of the ‘user’ was truncated when it contained special characters for the ‘aix_secure’, ‘osx_secure’, linux_secure’, and ‘syslog’ sourcetypes.
  • Fixed the ‘df’ and ‘df_metric’ scripts for the incorrect data when mount point has a space character for Linux kernel OSs.
  • Fixed the ‘rlog’ script to remove the unwanted error in the splunkd logs when no new data is available.
  • Fixed the ‘interfaces’ and ‘interfaces_metric’ scripts to remove the warning of awk regular expression syntax.

Fixed issues

Version 8.4.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Known issues

Version 8.4.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.3.1

Version 8.3.1 of the Splunk Add-on for Unix and Linux was released on July 26, 2021.

Compatibility

Version 8.3.1 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 8.1.x, 8.2.x
CIM 4.20.2
Supported OS for data collection All supported Unix operating systems. See Unix_operating_systems
Vendor products All supported Unix operating systems. See Unix_operating_systems

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.3.1 of the Splunk Add-on for Unix and Linux has the following new features:

  • Updated the setup page of the add-on to make it compatible with jQuery3.

Fixed issues

Version 8.3.1 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Known issues

Version 8.3.1 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.3.0

Version 8.3.0 of the Splunk Add-on for Unix and Linux was released. on February 3, 2021.

Compatibility

Version 8.3.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 7.2.x, 7.3.x, 8.0.x, 8.1.x
CIM 4.18
Supported OS for data collection All supported Unix operating systems. See Unix_operating_systems
Vendor products All supported Unix operating systems. See Unix_operating_systems

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.3.0 of the Splunk Add-on for Unix and Linux has the following new features:

  • Support of CentOS 8, RHEL 8.3, Solaris 11.4, Ubuntu 20.10, FreeBSD 12.2, macOS 10.15
  • Common Information Model (CIM) version 4.18 compatibility
  • Enhanced CIM mappings and extractions for ‘linux_secure’ and ‘aix_secure’ sourcetypes
  • Enhanced CIM mappings and extractions for ‘dhcpd’ sourcetype
  • Mapped Endpoint.FileSystem data model to ‘fs_notification’ sourcetype
  • Mapped Performance.CPU data model to ‘ps’ sourcetype
  • Mapped Perfomance.Storage data model to ‘nfsiostat’ sourcetype
  • Mapped Endpoint.Ports data model to ‘netstat’ sourcetype
  • Removed DM mappings from ‘top’ and ‘Unix:ListeningPorts’ sourcetypes
  • Added the reason CIM field for the ‘Authentication.Failed_Authentication’ data model

Fixed issues

Version 8.3.0 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Known issues

Version 8.3.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.2.0

Version 8.2.0 of the Splunk Add-on for Unix and Linux was released on September 21, 2020.

Compatibility

Version 8.2.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.16
Supported OS for data collection All supported Unix operating systems. See Unix_operating_systems
Vendor products All supported Unix operating systems. See Unix_operating_systems

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 8.2.0 of the Splunk Add-on for Unix and Linux has the following new features:

  • Updated and added new CIM field compatibility for various sourcetypes.
  • Removed deprecated CIM models and upgraded to new CIM models.

Fixed issues

Version 8.2.0 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Known issues

Version 8.2.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.1.0

Version 8.1.0 of the Splunk Add-on for Unix and Linux was released on June 24, 2020.

Compatibility

Version 8.1.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.15
Supported OS for data collection All supported Unix operating systems. See Unix_operating_systems
Vendor products All supported Unix operating systems. See Unix_operating_systems

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in the Reference chapter of this manual to learn more about scripted inputs and their operating system compatibility.

New features

Version 8.1.0 of the Splunk Add-on for Unix and Linux has the following new features:

  • Support for the metrics index for collecting statistical information of cpu, df, iostat, interfaces, vmstat, and ps sources.
  • Additional support of the chrony command to get time-service information.

Fixed issues

Version 8.1.0 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Known issues

Version 8.1.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 8.0.0

Version 8.0.0 of the Splunk Add-on for Unix and Linux was released on April 28, 2020.

Compatibility

Version 8.0.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.15
Supported OS for data collection All supported Unix operating systems. See Unix_operating_systems
Vendor products All supported Unix operating systems. See Unix_operating_systems

Script compatibility

Script CentOS 6 CentOS 7 CentOS 8 RHEL 6.9 RHEL 7.4 RHEL 8.0 Ubuntu 14.04 Ubuntu 16.04 Solaris 10 Solaris 11.3 Solaris 11.0 AIX 7.1 AIX 7.2 FreeBSD 9 FreeBSD 10 FreeBSD 11 FreeNAS 11.3U113 Mac OS X 10.11 Mac OS X 10.12
bandwidth.sh Y Y Y Y Y Y Y Y Y Y Y Y Y N N N N N N
common.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
cpu.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N Y
df.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
hardware.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
interfaces.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
iostat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N N N N
lastlog.sh Y Y Y Y Y Y Y Y Y Y N N Y Y Y Y Y Y Y
lsof.sh Y Y Y Y Y Y Y N N N N N N Y Y Y Y Y Y
netstat.sh Y Y Y Y Y Y Y N N N N N N N N Y N N N
nfsiostat.sh Y Y Y Y Y Y Y N N N N N N N N N N N N
openPorts.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
openPortsEnhanced.sh Y Y Y Y Y Y Y Y Y Y N N N N N N Y Y Y
package.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
passwd.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
protocol.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
ps.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
rlog.sh Y Y Y Y Y Y Y Y N N N N N N N N N N N
selinuxChecker.sh Y Y Y Y Y Y N N N N N N N N N N N N N
service.sh Y Y Y Y Y N Y Y Y Y N N N N N N Y Y Y
sshdChecker.sh Y Y Y Y Y Y Y Y Y Y N N N N N N N N N
time.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
top.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
update.sh Y Y Y Y Y N N N N N N N N N N N Y Y Y
uptime.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
usersWithLoginPrivs.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
version.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
vmstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N Y Y
vsftpdChecker.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N Y Y
who.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y

Notes

  1. Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to because netstat on Solaris 10 and 11 does not provide this information.
  2. Supported, requires dlstat.
  3. Not supported, sar is not available.
  4. Not supported, /bin/darwin_disk_stats is not available.
  5. Supported, script indexes Header information as an extra event.
  6. Supported. pkg_info is deprecated, and pkg info is being used.
  7. Supported, COMMAND field value is truncated.
  8. Supported, error log messages are included. Not supported for RHEL/CentOS version 7.3.
  9. Supported, requires ausearch.
  10. Not supported, chkconfig is not available.
  11. Supported, requires ntpdate or chrony for RHEL version 8.
  12. Supported with only Linux OS configurations, requires the nfs-utils package.
  13. Only FreeNAS 11.3U1 is supported.
  14. Bash shell is required to run the script. Install the bash package for the input.
  15. Requires vsftpd package.
  16. Data for Name,Version and Architecture of the package will be ingested by the Splunk software.

New features

Version 8.0.0 of the Splunk Add-on for Unix and Linux has the following new features:

  • Common Information Model (CIM) version 4.15 compatibility.
  • Support for RHEL version 8.0
  • Increased ps.sh COMMAND field width to accommodate long values.
  • Ability to capture sshd-authentication events that do not have from in the event
  • Support for FreeNAS version 11.3U1.

Fixed issues

Version 8.0.0 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Known issues

Version 8.0.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 7.0.1

Version 7.0.1 of the Splunk Add-on for Unix and Linux was released on March 14, 2020.

Compatibility

Version 7.0.1 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0
CIM 4.12
Supported OS for data collection All supported Unix operating systems. See Unix_operating_systems.
Vendor products All supported Unix operating systems. See Unix_operating_systems.

Script compatibility

Script CentOS 6 CentOS 7 CentOS 7.4 RHEL 6.9 Ubuntu 14.04 Ubuntu 16.04 Solaris 10 Solaris 11.3 Solaris 11.0 AIX 7.1 AIX 7.2 FreeBSD 9 FreeBSD 10 FreeBSD 11 Mac OS X 10.11 Mac OS X 10.12
bandwidth.sh Y Y Y Y Y Y Y1 Y2 Y Y Y N3 N3 N3 Y N3
common.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
cpu.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N3
df.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
hardware.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
interfaces.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
iostat.sh Y Y Y Y Y Y Y Y Y Y Y N4 N4 N4 N N
lastlog.sh Y Y Y Y Y Y Y Y Y N N Y Y Y Y Y
lsof.sh Y Y Y Y Y Y N N N N N N N N N Y
netstat.sh Y Y Y Y Y Y N N N N N N N N N N
nfsiostat.sh Y Y Y Y Y Y N N N N N N N N N N
openPorts.sh Y5 Y5 Y5 Y5 Y Y Y5 Y5 Y5 Y Y Y Y Y Y Y
openPortsEnhanced.sh Y Y Y Y Y Y Y Y Y N N N N N Y Y
package.sh Y Y Y Y Y Y Y Y Y Y Y Y N6 N6 Y Y
passwd.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
protocol.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
ps.sh Y Y Y Y Y Y Y Y Y Y Y Y Y7 Y7 Y7 Y
rlog.sh Y Y8 Y8 Y Y9 Y N N N N N N N N N N
selinuxChecker.sh Y Y Y Y Y N N N N N N N N N N N
service.sh Y Y Y Y N10 Y Y Y Y N N N N N Y Y
sshdChecker.sh Y Y Y Y Y Y Y Y Y N N N N N N N
time.sh Y11 Y11 Y Y Y Y Y Y Y Y Y Y11 Y Y Y Y
top.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
update.sh Y Y Y Y N N N N N N N N N N Y Y
uptime.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
usersWithLoginPrivs.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
version.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
vmstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N
vsfptdChecker.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
who.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y

Notes

  1. Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to because netstat on Solaris 10 and 11 does not provide this information.
  2. Supported, requires dlstat.
  3. Not supported, sar is not available.
  4. Not supported, /bin/darwin_disk_stats is not available.
  5. Supported, script indexes Header information as an extra event.
  6. Not supported, pkg_info is deprecated.
  7. Supported, COMMAND field value is truncated.
  8. Supported, error log messages are included.
  9. Supported, requires ausearch.
  10. Not supported, chkconfig is not available.
  11. Supported, requires ntpdate.
  12. Supported with only Linux OS configurations, requires the nfs-utils package.

Upgrade

Users upgrading to the Splunk Add-on for Unix and Linux version 7.0 or later from version 5.2.4 or earlier must follow prerequisite upgrade steps before performing the installation. See Upgrade the Splunk Add-on for Unix and Linux.

New features

Version 7.0.1 of the Splunk Add-on for Unix and Linux has the following new features:

  • Default support for Python3

Fixed issues

Version 7.0.1 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Known issues

Version 7.0.1 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 7.0

Version 7.0 of the Splunk Add-on for Unix and Linux was released on October 21, 2019.

Compatibility

Version 7.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0
CIM 4.12
Supported OS for data collection All supported Unix operating systems. See Unix_operating_systems.
Vendor products All supported Unix operating systems. See Unix_operating_systems.

Script compatibility

Script CentOS 6 CentOS 7 CentOS 7.4 RHEL 6.9 Ubuntu 14.04 Ubuntu 16.04 Solaris 10 Solaris 11.3 Solaris 11.0 AIX 7.1 AIX 7.2 FreeBSD 9 FreeBSD 10 FreeBSD 11 Mac OS X 10.11 Mac OS X 10.12
bandwidth.sh Y Y Y Y Y Y Y1 Y2 Y Y Y N3 N3 N3 Y N3
common.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
cpu.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N3
df.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
hardware.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
interfaces.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
iostat.sh Y Y Y Y Y Y Y Y Y Y Y N4 N4 N4 N N
lastlog.sh Y Y Y Y Y Y Y Y Y N N Y Y Y Y Y
lsof.sh Y Y Y Y Y Y N N N N N N N N N Y
netstat.sh Y Y Y Y Y Y N N N N N N N N N N
nfsiostat.sh Y Y Y Y Y Y N N N N N N N N N N
openPorts.sh Y5 Y5 Y5 Y5 Y Y Y5 Y5 Y5 Y Y Y Y Y Y Y
openPortsEnhanced.sh Y Y Y Y Y Y Y Y Y N N N N N Y Y
package.sh Y Y Y Y Y Y Y Y Y Y Y Y N6 N6 Y Y
passwd.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
protocol.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
ps.sh Y Y Y Y Y Y Y Y Y Y Y Y Y7 Y7 Y7 Y
rlog.sh Y Y8 Y8 Y Y9 Y N N N N N N N N N N
selinuxChecker.sh Y Y Y Y Y N N N N N N N N N N N
service.sh Y Y Y Y N10 Y Y Y Y N N N N N Y Y
sshdChecker.sh Y Y Y Y Y Y Y Y Y N N N N N N N
time.sh Y11 Y11 Y Y Y Y Y Y Y Y Y Y11 Y Y Y Y
top.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
update.sh Y Y Y Y N N N N N N N N N N Y Y
uptime.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
usersWithLoginPrivs.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
version.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
vmstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N
vsfptdChecker.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
who.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y

Notes

  1. Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to because netstat on Solaris 10 and 11 does not provide this information.
  2. Supported, requires dlstat.
  3. Not supported, sar is not available.
  4. Not supported, /bin/darwin_disk_stats is not available.
  5. Supported, script indexes Header information as an extra event.
  6. Not supported, pkg_info is deprecated.
  7. Supported, COMMAND field value is truncated.
  8. Supported, error log messages are included.
  9. Supported, requires ausearch.
  10. Not supported, chkconfig is not available.
  11. Supported, requires ntpdate.
  12. Supported with only Linux OS configurations, requires the nfs-utils package.

Upgrade

Users upgrading to the Splunk Add-on for Unix and Linux version 7.0 from version 5.2.4 or earlier must follow prerequisite upgrade steps before performing the installation. See Upgrade the Splunk Add-on for Unix and Linux.

New features

Version 7.0 of the Splunk Add-on for Unix and Linux has the following new features:

  • Support for Python3

Fixed issues

Version 7.0 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Known issues

Version 7.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 6.0.2

Version 6.0.2 of the Splunk Add-on for Unix and Linux was released on February 18, 2019.

The Splunk Add-on for Unix and Linux 6.0.0 introduced breaking changes. If you are upgrading from an earlier version of the Splunk Add-on for Unix and Linux, you must follow the steps outlined in Upgrade the Splunk Add-on for Unix and Linux. Failure to do so can result in data loss.

Compatibility

Version 6.0.2 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM 4.12
Supported OS for data collection All supported Unix operating systems. See Unix_operating_systems.
Vendor products All supported Unix operating systems. See Unix_operating_systems.

Script compatibility

Script CentOS 6 CentOS 7 CentOS 7.4 RHEL 6.9 Ubuntu 14.04 Ubuntu 16.04 Solaris 10 Solaris 11.3 Solaris 11.0 AIX 7.1 AIX 7.2 FreeBSD 9 FreeBSD 10 FreeBSD 11 Mac OS X 10.11 Mac OS X 10.12
bandwidth.sh Y Y Y Y Y Y Y1 Y2 Y Y Y N3 N3 N3 Y N3
common.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
cpu.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y N3
df.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
hardware.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
interfaces.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
iostat.sh Y Y Y Y Y Y Y Y Y Y Y N4 N4
lastlog.sh Y Y Y Y Y Y Y Y Y N N Y Y Y Y Y
lsof.sh Y Y Y Y Y Y N N N N N N N Y Y Y
netstat.sh Y Y Y Y Y Y N N N N N N N N N N
nfsiostat.sh Y Y Y Y Y Y N N N N N N N N N N
openPorts.sh Y5 Y5 Y5 Y5 Y Y Y5 Y5 Y5 Y Y Y Y Y Y Y
openPortsEnhanced.sh Y Y Y Y Y Y Y Y Y N N N N N Y Y
package.sh Y Y Y Y Y Y Y Y Y Y Y Y N6 N6 Y Y
passwd.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
protocol.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
ps.sh Y Y Y Y Y Y Y Y Y Y Y Y7 Y7 Y7 Y Y
rlog.sh Y Y8 Y8 Y Y9 Y N N N N N N N N N N
selinuxChecker.sh Y Y Y Y Y N N N N N N N N N N N
service.sh Y Y Y Y N10 Y Y Y Y N N N N N Y Y
sshdChecker.sh Y Y Y Y Y Y Y Y Y N N N N N N N
time.sh Y11 Y11 Y Y Y Y Y Y Y Y Y Y11 Y Y Y Y
top.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
update.sh Y Y Y Y N N N N N N N N N N Y Y
uptime.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
usersWithLoginPrivs.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
version.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
vmstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y N
vsfptdChecker.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
who.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y

Notes

  1. Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to because netstat on Solaris 10 and 11 does not provide this information.
  2. Supported, requires dlstat. # Not supported, sar is not available.
  3. Not supported, /bin/darwin_disk_stats is not available.
  4. Supported, script indexes Header information as an extra event.
  5. Not supported, pkg_info is deprecated.
  6. Supported, COMMAND field value is truncated.
  7. Supported, error log messages are included.
  8. Supported, requires ausearch.
  9. Not supported, chkconfig is not available.
  10. Supported, requires ntpdate.
  11. Supported with only Linux OS configurations, requires the nfs-utils package.

Upgrade

Users upgrading to the Splunk Add-on for Unix and Linux version 6.0.2 from version 5.2.4 or earlier must follow prerequisite upgrade steps before performing the installation. See Upgrade the Splunk Add-on for Unix and Linux.

New features

Version 6.0.2 of the Splunk Add-on for Unix and Linux has the following new features:

Fixed issues

Version 6.0.2 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Known issues

Version 6.0.2 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 6.0.1

Version 6.0.1 of the Splunk Add-on for Unix and Linux was released on September 20, 2018.

The Splunk Add-on for Unix and Linux 6.0.0 introduced breaking changes. If you are upgrading from an earlier version of the Splunk Add-on for Unix and Linux, you must follow the steps outlined in Upgrade the Splunk Add-on for Unix and Linux. Failure to do so can result in data loss.

Compatibility

Version 6.0.1 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms:
Splunk platform versions 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM 4.11
Supported OS for data collection All supported Unix operating systems. See Unix_operating_systems
Vendor products All supported Unix operating systems. See Unix_operating_systems

Script compatibility

Script CentOS 6 CentOS 7 RHEL 7.4 RHEL 6.9 Ubuntu 14.04 Ubuntu 16.04 Solaris 10 Solaris 11.3 Solaris 11.0 AIX 7.1 AIX 7.2 FreeBSD 9 FreeBSD 10 FreeBSD 11 Mac OS X 10.11 Mac OS X 10.12
bandwidth.sh Y Y Y Y Y Y Y1 Y2 Y Y Y N3 N3 N3 Y N3
common.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
cpu.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N3
df.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
hardware.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
interfaces.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
iostat.sh Y Y Y Y Y Y Y Y Y Y Y N4 N4 N4 Y N4
lastlog.sh Y Y Y Y Y Y Y Y Y N N Y Y Y Y Y
lsof.sh Y Y Y Y Y Y N N N N N N N N Y Y
netstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
openPorts.sh Y5 Y5 Y5 Y5 Y Y Y5 Y5 Y5 Y Y Y Y Y Y Y
openPortsEnhanced.sh Y Y Y Y Y Y Y Y Y N N N N N Y Y
package.sh Y Y Y Y Y Y Y Y Y Y Y N6 N6 Y Y Y
passwd.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
protocol.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
ps.sh Y Y Y Y Y Y Y Y Y Y Y Y7 Y7 Y7 Y Y
rlog.sh Y Y8 Y8 Y Y9 Y N N N N N N N N N N
selinuxChecker.sh Y Y Y Y Y N N N N N N N N N N N
service.sh Y Y Y Y N10 Y Y Y Y N N N N N Y Y
sshdChecker.sh Y Y Y Y Y Y Y Y Y N N N N N N N
time.sh Y11 Y11 Y Y Y Y Y Y Y Y Y Y11 Y Y Y Y
top.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
update.sh Y Y Y Y N N N N N N N N N N Y Y
uptime.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
usersWithLoginPrivs.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
version.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
vmstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N
vsftpdChecker.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
who.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y

Notes

  1. Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to because netstat on Solaris 10 and 11 does not provide this information.
  2. Supported, requires dlstat.
  3. Not supported, sar is not available.
  4. Not supported, /bin/darwin_disk_stats is not available.
  5. Supported, script indexes Header information as an extra event.
  6. Not supported, pkg_info is deprecated.
  7. Supported, COMMAND field value is truncated.
  8. Supported, error log messages are included.
  9. Supported, requires ausearch.
  10. Not supported, chkconfig is not available.
  11. Supported, requires ntpdate.

Upgrade

Users upgrading to the Splunk Add-on for Unix and Linux version 6.0.1 from version 5.2.4 or earlier must follow prerequisite upgrade steps before performing the installation. See Upgrade the Splunk Add-on for Unix and Linux.

New features

The Splunk Add-on for Unix and Linux version 6.0.1 has the following new features:

  • Supported extraction for the cpu_instance field. Earlier versions extracted only cpu=all. Version 6.0.1 can extract field values for individual core numbers in addition to cpu=all.
  • Supported extraction for the mem_page_in and mem_page_out field
  • Supported extraction for the swap_percent field
  • Supported extraction for the cpu_architecture field

Fixed issues

Version 6.0.1 of the Splunk Add-on for Unix and Linux has the following fixed issues:

Known issues

Version 6.0.1 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 6.0.0

Version 6.0.0 of the Splunk Add-on for Unix and Linux was released on June 21, 2018.

The Splunk Add-on for Unix and Linux 6.0.0 introduces breaking changes. If you are upgrading from a previous version of the Splunk Add-on for Unix and Linux, you must follow the steps outlined in Upgrade the Splunk Add-on for Unix and Linux. Failure to do so can result in data loss.

Compatibility

Version 6.0.0 of the Splunk Add-on for Unix and Linux is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 6.5.x, 6.6.x, 7.0.x, 7.1.x, 7.2.x
CIM 4.11
Supported OS for data collection All supported Unix operating systems. See Unix_operating_systems.
Vendor products All supported Unix operating systems. See Unix_operating_systems.

Script compatibility

Script CentOS 6 CentOS 7 CentOS 7.4 RHEL 6.9 Ubuntu 14.04 Ubuntu 16.04 Solaris 10 Solaris 11.3 Solaris 11.0 AIX 7.1 AIX 7.2 FreeBSD 9 FreeBSD 10 FreeBSD 11 Mac OS X 10.11 Mac OS X 10.12
bandwidth.sh Y Y Y Y Y Y Y1 Y2 Y Y Y N3 N3 N3 Y N3
common.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
cpu.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N3
df.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
hardware.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
interfaces.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
iostat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y N4 N4 -
lastlog.sh Y Y Y Y Y Y Y Y Y N N Y Y Y Y Y
lsof.sh Y Y Y Y Y Y N N N N N N N Y Y -
netstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
openPorts.sh Y5 Y5 Y5 Y5 Y Y Y5 Y5 Y5 Y Y Y5 Y5 Y5 Y Y
openPortsEnhanced.sh Y Y Y Y Y Y Y Y Y N N N N N Y Y
package.sh Y Y Y Y Y Y Y Y Y Y Y Y N6 N6 Y Y
passwd.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
protocol.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
ps.sh Y Y Y Y Y Y Y Y Y Y Y Y7 Y7 Y7 Y Y
rlog.sh Y Y8 Y8 Y Y9 Y N N N N N N N N N N
selinuxChecker.sh Y Y Y Y Y N N N N N N N N N N N
service.sh Y Y Y Y N10 Y Y Y Y N N N N N Y Y
sshdChecker.sh Y Y Y Y Y Y Y Y Y N N N N N N N
time.sh Y11 Y11 Y Y Y Y Y Y Y Y Y Y11 Y Y Y Y
top.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
update.sh Y Y Y Y N N N N N N N N N N Y Y
uptime.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
usersWithLoginPrivs.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
version.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
vmstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N
vsfptdChecker.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
who.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y

Notes

  1. Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to because netstat on Solaris 10 and 11 does not provide this information.
  2. Supported, requires dlstat.
  3. Not supported, sar is not available.
  4. Not supported, /bin/darwin_disk_stats is not available.
  5. Supported, script indexes Header information as an extra event.
  6. Not supported, pkg_info is deprecated.
  7. Supported, COMMAND field value is truncated.
  8. Supported, error log messages are included.
  9. Supported, requires ausearch.
  10. Not supported, chkconfig is not available. # Supported, requires ntpdate.

Upgrade

All users upgrading to the Splunk Add-on for Unix and Linux version 6.0.0 must follow the prerequisite upgrade steps before performing the installation. See Upgrade the Splunk Add-on for Unix and Linux.

New features

Version 6.0.0 of the Splunk Add-on for Unix and Linux contains the following new and changed features:

  • Added support for RedHat Enterprise Linux 7
  • Added support for Solaris 10 and Solaris 11
  • Linux scripts migrated from net-tools to iproute2 to support current Linux releases

Script updates

  • netstat.sh (sourcetype=netstat) is updated. The Proto field no longer contains the IP address type and the State field value is truncated.

    Proto Recv-Q Send-Q LocalAddress ForeignAddress State tcp 0 0 127.0.0.1:53350 127.0.0.1:8191 ESTAB tcp 0 0 127.0.0.1:8191 127.0.0.1:53324 ESTAB tcp 0 128 :::22 ::: LISTEN tcp 0 100 ::1:25 ::: LISTEN

  • openPorts.sh (sourcetype=openPorts) is updated. The protocol field no longer contains the IP address type.

    tcp 22 tcp 8089 tcp 25 tcp 8191 tcp 8000 tcp 8065 tcp 22 tcp 25

  • interfaces.sh (sourcetype=interfaces) is updated. The inetAddr field now contains the netmask.

    Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors TXbytes TXerrors Speed Duplex eth0 00:50:56:95:a4:f7 10.0.3.235/20 fe80::250:56ff:fe95:a4f7/64 0 620790375 0 2982390 0 10000Mb/s Full

  • lastlog.sh (sourcetype=lastlog) is updated. The LATEST field no longer contains the seconds and year in the timestamp, and the FROM field only contains an IP address.

    USERNAME FROM LATEST user1 10.0.1.1 Thu Mar 29 13:04 user2 10.0.1.1 Mon Apr 9 14:34

Fixed issues

Version 6.0.0 of the Splunk Add-on for Unix and Linux fixed the following issues:

Known issues

Version 6.0.0 of the Splunk Add-on for Unix and Linux has the following known issues. If no issues appear here, no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Unix and Linux does not use third-party software or libraries.

Version 5.2.4

The Splunk Add-on for Unix and Linux was last updated in December 2017.

What’s new

See the known issues and fixed issues of these release notes for product updates.

Fixed issues

Version 5.2.4 of the Splunk Add-on for Unix and Linux fixed the following issues:

Known Issues

Version 5.2.4 of the Splunk Add-on for Unix and Linux has the following known issues:

Version 5.2.3

The Splunk Add-on for Unix and Linux was last updated on April 5, 2016.

What’s new

Here’s what’s new in the latest version of the Splunk App for Unix and Linux:

Publication date Defect number Description
2016-4-5 TAG-11060 The add-on has been updated to provide better support for Key Performance Indicators (KPIs) for the Splunk IT Service Intelligence OS Module.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

Publication date Defect number Description
2016-2-29 TAG-10164 On some versions of Linux (for example, RedHat), the rlog.sh scripted input improperly calls for the status of the auditd service, which forces the OS to redirect the call to the right service and generates an error in splunkd.log.
2015-12-15 TAG-4275 The scripts that come with the add-on rely on system utilities to run properly. If those utilities are not present, the scripts exit silently.

Change Log (what’s been fixed)

Publication date Defect number Description
2016-4-5 TAG-11059 The add-on has been updated to provide better support for Key Performance Indicators (KPIs) for the Splunk IT Service Intelligence OS Module.

Version 5.2.2

The Splunk Add-on for Unix and Linux was last updated on February 29, 2016.

What’s new

Here’s what’s new in the latest version of the Splunk App for Unix and Linux:

Publication date Defect number Description
2016-2-29 N/A Bug fixes.
2016-2-29 TAG-10606 Event type definitions in the add-on have been updated to improve performance.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

Publication date Defect number Description
2016-2-29 TAG-10164 On some versions of Linux (for example, RedHat), the rlog.sh scripted input improperly calls for the status of the auditd service, which forces the OS to redirect the call to the right service and generates an error in splunkd.log.
2015-12-15 TAG-4275 The scripts that come with the add-on rely on system utilities to run properly. If those utilities are not present, the scripts exit silently.

Change Log (what’s been fixed)

Publication date Defect number Description
2016-2-29 TAG-10606 Event type definitions in the add-on have been updated to improve performance.
2016-2-29 TAG-10537 The add-on now determines the correct operating system version numbers on hosts that run AIX and Solaris.
2016-2-29 TAG-10474 A typo in a field transformation that referenced an invalid FORMAT argument has been fixed.
2016-2-29 TAG-9922 The add-on has been updated to not expose file and scripted input configuration controls on Splunk Cloud installations.

Version 5.2.1

The Splunk Add-on for Unix and Linux was last updated on December 15, 2015.

What’s new

Here’s what’s new in the latest version of the Splunk App for Unix and Linux:

Publication date Defect number Description
2015-12-15 N/A Bug fixes.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

Publication date Defect number Description
2015-12-15 TAG-4275 On hosts that run AIX, the vmstat.sh script does not produce output.

Change Log (what’s been fixed)

Publication date Defect number Description
2015-12-15 TAG-10147 A problem with vmstat.sh where space-delimited and tab-delimited entries were intermingled was fixed.
2015-12-15 TAG-10213 The add-on has been updated to move some of the data it collects into a data model. This is for use with the OS Module for Splunk IT Service Intelligence.
2015-12-15 TAG-4211 A problem where the rlog.sh and [monitor://var/log] stanzas within the add-on collected audit.log twice (in different ways) was fixed.

Version 5.2.0

The Splunk Add-on for Unix and Linux was last updated on September 18, 2015.

What’s new

Here’s what’s new in the latest version of the Splunk App for Unix and Linux:

Publication date Defect number Description
2015-9-18 N/A Bug fixes.
2015-9-18 N/A The app has been updated to be compatible with Splunk Enterprise version 6.3.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

Publication date Defect number Description
2015-10-13 TAG-4211 The rlog.sh scripted input and [monitor:///var/log] input stanza both collect audit.log, although in slightly different formats. This might result in duplicate data collection. To work around this problem, add a blacklist to the [monitor:///var/log] stanza: whitelist=(\.log|log$|messages|secure|auth|mesg$|cron$|acpid$|\.out) blacklist=(audit.log|lastlog|anaconda\.syslog) index=os disabled = 1

Change Log (what’s been fixed)

Publication date Defect number Description
2015-9-18 TAG-9589 The add-on no longer breaks search-time extractions for syslog on upgrade.
2015-9-18 TAG-9482 The add-on no longer reports incorrect CPU usage when installed on a Solaris 10 host.
2015-9-18 TAG-9353 The storage, storage_used, and storage_free fields now display data in megabytes instead of bytes.
2015-9-18 TAG-9312 The rlog.sh scripted input now reads the first line of the audit.log file. This fixes a problem where events in Splunk Enterprise did not reflect all contents of the file.
2015-9-18 TAG-9220 The package.sh scripted input now populates the RELEASE field on Debian Linux systems.
2015-9-18 TAG-3913 The regular expression that defines line breaking patterns for the add-on no longer generates spurious errors in the line-breaking processor.

Version 5.1.2

The Splunk Add-on for Unix and Linux was last updated on April 1, 2015.

What’s new

Here’s what’s new in the latest version of the Splunk App for Unix and Linux:

  • Bug fixes.

Current known issues

The Splunk App for Unix and Linux has the following known issues:

  • The values for total, used, and free memory that the vmstat.sh script displays differ from the values that the native vmstat command displays. This is because vmstat.sh counts swap cache memory and buffer memory as part of the total free memory available, and subtracts this from total memory to get used memory. This is by design. (TAG-4014, TAG-9010)
  • The vmstat scripted input does not work on AIX. (TAG-4518)
  • On Linux systems, the cpu.sh script does not display the %steal CPU counter. (TAG-4114)
  • Due to how Mac OS X configures OpenSSL, any Splunk Add-on for Unix and Linux scripts that use a hash (such as openPortsEnhanced.sh, passwd.sh, and sshdChecker.sh) do not work by default. To work around the problem, set the DYLD_LIBRARY_PATH variable as follows:

export SPLUNK_HOME= _\ export DYLD_LIBRARY_PATH=$SPLUNK_HOME/lib

(NIX-649, SPL-78856)

  • Using the latest version of Sideview Utils with the add-on causes a problem where dashboards do not populate despite the availability of data. To work around the problem, use version 1.3.5 or earlier of Sideview Utils. (NIX-646)
  • When you install the app and point it at the indexes which contain your nix data, it might take up to 15 seconds for that data to begin showing up in the app. This is due to lookup generation. (NIX-467) The colors in the Metrics Viewer graphs do not update correctly if you transpose sliders in the Metrics Viewer’s threshold bar. (NIX-428)
  • When in node view, the Hosts dashboard sometimes shows inconsistent colors with respect to the detailed view colors. (NIX-353, NIX-409)
  • When you use Firefox to access the Splunk App for Unix and Linux, the radial graphs in the Home dashboard sometimes do not display correctly. The slices within the graphs sometimes spill out of their containers. To work around the problem, refresh the page. (NIX-370, NIX-413)
  • On HP/UX systems, there is no way to obtain the number of threads on a system. This means that the vmstat scripted inputs will always return “?” for threads columns on HP/UX.
  • On Solaris systems, the hardware.sh scripted input sometimes returns empty values for some entries. (NIX-42)
  • If you clone an existing alert saved search, you cannot edit the search using the “Settings: Alerts” configuration page. (NIX-537) * You cannot create custom alerts using Splunk Web; you must do so with configuration files. (NIX-536)
  • If you remove the default group, you sometimes receive an error “Unknown search command: ‘all’” when you load the Home page. (NIX-560)
  • In the Hosts page, if you do not wait for all data on a host information card to load before pinning that card, when you select another host, the original host information card does not remain pinned. (NIX-320)
  • The app’s scripted inputs do not work when the directory that they are hosted in contains spaces. This is particularly an issue with Mac OS X. (NIX-570)
  • The full-screen NOC screen legends do not display correctly in Chrome. (NIX-584)
  • You are not able to drill down into a specific host on the Hosts dashboard. (NIX-587)

Change Log (what’s been fixed)

  • Copyright information for the add-on has been updated and corrected. (TAG-9244)
  • The add-on no longer incorrectly displays in the Splunk Light Dashboards page. (TAG-9182)
  • The su_authentication event type within the add-on now has better su command event-matching logic. (TAG-8938)
  • The uptime.sh script in the add-on now handles ps output properly on HP-UX machines. (TAG-4204)
  • An unnecessary transform for WMI installed apps has been removed. (TAG-4191)
  • The top.sh script now accounts for the fact that, starting with Mac OS X version 10.9 Mavericks and later, there is no rshrd (resident shared address space size) statistic for the top command. On Mac OSX 10.9 Mavericks and later, the script now outputs “?” for that statistic, instead of generating an error. (TAG-4077)
  • The add-on no longer attempts to automatically learn new source types when you tell it to monitor large directories. (TAG-3986)

Version 5.1.1

The Splunk Add-on for Unix and Linux was last updated on February 13, 2015.

What’s new

Here’s what’s new in the latest version of the Splunk App for Unix and Linux:

  • Bug fixes.
  • Feature additions to better work with Splunk Light (TAG-3983, TAG-8913).

Current known issues

The Splunk App for Unix and Linux has the following known issues:

  • The values for total, used, and free memory that the vmstat.sh script displays differ from the values displayed by the native vmstat command. This is because vmstat.sh counts swap cache memory and buffer memory as part of the total free memory available, and subtracts this from total memory to get used memory. This is by design. (TAG-4014, TAG-9010)
  • On Linux systems, the cpu.sh script does not display the %steal CPU counter. (TAG-4114)
  • Due to how Mac OS X configures OpenSSL, any Splunk Add-on for Unix and Linux scripts that use a hash (such as openPortsEnhanced.sh, passwd.sh, and sshdChecker.sh) do not work by default. To work around the problem, set the DYLD_LIBRARY_PATH variable as follows:

export SPLUNK_HOME= export DYLD_LIBRARY_PATH=$SPLUNK_HOME/lib

(NIX-649, SPL-78856)

  • Using the latest version of Sideview Utils with the add-on causes a problem where dashboards do not populate despite the availability of data. To work around the problem, use version 1.3.5 or earlier of Sideview Utils. (NIX-646)
  • When you install the app and point it at the indexes which contain your _nix data, it might take up to 15 seconds for that data to begin showing up in the app. This is due to lookup generation. (NIX-467)
  • The colors in the Metrics Viewer graphs do not update correctly if you transpose sliders in the Metrics Viewer’s threshold bar. (NIX-428)
  • When in node view, the Hosts dashboard sometimes shows inconsistent colors with respect to the detailed view colors. (NIX-353, NIX-409)
  • When you use Firefox to access the Splunk App for Unix and Linux, the radial graphs in the Home dashboard sometimes do not display correctly. The slices within the graphs sometimes spill out of their containers. To work around the problem, refresh the page. (NIX-370, NIX-413)
  • On HP/UX systems, there is no way to obtain the number of threads on a system. This means that the vmstat scripted inputs will always return “?” for threads columns on HP/UX.
  • On Solaris systems, the hardware.sh scripted input sometimes returns empty values for some entries. (NIX-42)
  • If you clone an existing alert saved search, you cannot edit the search using the “Settings: Alerts” configuration page. (NIX-537) * You cannot create custom alerts using Splunk Web; you must do so with configuration files. (NIX-536)
  • If you remove the default group, you sometimes receive an error “Unknown search command: ‘all’” when you load the Home page. (NIX-560)
  • In the Hosts page, if you do not wait for all data on a host information card to load before pinning that card, when you select another host, the original host information card does not remain pinned. (NIX-320)
  • The app’s scripted inputs do not work when the directory that they are hosted in contains spaces. This is particularly an issue with Mac OS X. (NIX-570)
  • The full-screen NOC screen legends do not display correctly in Chrome. (NIX-584)
  • You are not able to drill down into a specific host on the Hosts dashboard. (NIX-587)

Change Log (what’s been fixed)

  • A cosmetic issue with the “Reset” button on the add-on configuration page has been fixed. (TAG-3976)
  • The documentation links in the add-on now go to valid places. (TAG-4421)

Version 5.1.0

The Splunk Add-on for Unix and Linux was last updated on October 6, 2014.

What’s new

Here’s what’s new in the latest version of the Splunk App for Unix and Linux:

  • Bug fixes.
  • Feature additions to better work with the Splunk App for Enterprise Security.
  • The add-on now contains some knowledge layer improvements. (NIX-638)
  • The add-on now normalizes timestamps to work with the Change_Analysis data model. (NIX-668)
  • The add-on now has higher-resolution icons. (NIX-660)

Current known issues

The Splunk App for Unix and Linux has the following known issues:

  • The values for total, used, and free memory that the vmstat.sh script displays differ from the values displayed by the native vmstat command. This is because vmstat.sh counts swap cache memory and buffer memory as part of the total free memory available, and subtracts this from total memory to get used memory. This is by design. (TAG-4014, TAG-9010)
  • Due to how Mac OS X configures OpenSSL, any Splunk Add-on for Unix and Linux scripts that use a hash (such as openPortsEnhanced.sh, passwd.sh, and sshdChecker.sh) do not work by default. To work around the problem, set the DYLD_LIBRARY_PATH variable as follows:

export SPLUNK_HOME= export DYLD_LIBRARY_PATH=$SPLUNK_HOME/lib

(NIX-649, SPL-78856)

  • Using the latest version of Sideview Utils with the add-on causes a problem where dashboards do not populate despite the availability of data. To work around the problem, use version 1.3.5 or earlier of Sideview Utils. (NIX-646)
  • When you install the app and point it at the indexes which contain your _nix data, it might take up to 15 seconds for that data to begin showing up in the app. This is due to lookup generation. (NIX-467)
  • The colors in the Metrics Viewer graphs do not update correctly if you transpose sliders in the Metrics Viewer’s threshold bar. (NIX-428)
  • When in node view, the Hosts dashboard sometimes shows inconsistent colors with respect to the detailed view colors. (NIX-353, NIX-409)
  • When you use Firefox to access the Splunk App for Unix and Linux, the radial graphs in the Home dashboard sometimes do not display correctly. The slices within the graphs sometimes spill out of their containers. To work around the problem, refresh the page. (NIX-370, NIX-413)
  • On HP/UX systems, there is no way to obtain the number of threads on a system. This means that the vmstat scripted inputs will always return “?” for threads columns on HP/UX.
  • On Solaris systems, the hardware.sh scripted input sometimes returns empty values for some entries. (NIX-42)
  • If you clone an existing alert saved search, you cannot edit the search using the “Settings: Alerts” configuration page. (NIX-537) * You cannot create custom alerts using Splunk Web; you must do so with configuration files. (NIX-536)
  • If you remove the default group, you sometimes receive an error “Unknown search command: ‘all’” when you load the Home page. (NIX-560)
  • In the Hosts page, if you do not wait for all data on a host information card to load before pinning that card, when you select another host, the original host information card does not remain pinned. (NIX-320)
  • The app’s scripted inputs do not work when the directory that they are hosted in contains spaces. This is particularly an issue with Mac OS X. (NIX-570)
  • The full-screen NOC screen legends do not display correctly in Chrome. (NIX-584)
  • You are not able to drill down into a specific host on the Hosts dashboard. (NIX-587)

Change Log (what’s been fixed)

  • A problem with the first-time run experience where a file rename would cause the experience to repeat continuously was fixed. (NIX-664)
  • A search macro definition for network monitoring that conflicted with a similar definition in the Splunk Add-on for Windows was corrected. (NIX-663)
  • Values defined within stanzas in some configuration files now have proper URI encodings. (NIX-656)
  • The vmstat.sh script now properly returns results on systems with more than one mass storage device. (NIX-648)
  • A problem where event type searches generated false positives because they include the summary index has been fixed. (NIX-644)
  • The Splunk Supporting App for Unix and Linux (SA-Nix) no longer overwrites the action field. (NIX-641)
  • A search-time field extraction that referenced the syslog source type has been removed. (NIX-634)
  • A typo in the version.sh script has been corrected. (NIX-630)
  • The setup.sh script now properly accepts the –auth argument. This enables users to use the script to log into their Splunk Enterprise instance while setting up the Splunk App for Unix and Linux from the command line. (NIX-624)
  • A customer-submitted patch to interfaces.sh improves how that script gathers network interface error statistics. (NIX-623)

Hardware and software requirements for the Splunk Add-on for Unix and Linux

The Splunk Add-on for Unix and Linux installs on Splunk instances that run on many versions of Unix, including Linux, Solaris, and AIX.

Dependencies

The Splunk Add-on for Unix and Linux requires these software packages to be installed on all supported Unix and Linux operating systems for scripted inputs to work:

  • GNU awk
  • sysstat
  • ntpdate
  • lsof
  • nfs-utils
  • bash
  • chrony
  • iproute/ iproute2
  • lshw

Following are detailed requirements for the scripted inputs for each supported OS. Use your OS-specific package manager to install these packages if they are not already installed:

Script Name Ubuntu Rocky Alma FreeBSD RHEL SUSE Solaris OEL MacOS
cpu.sh Package: sysstat Package: sysstat Package: sysstat Package: top Package: sysstat Package: sysstat Package: sysstat Package: sysstat Built-in tool: top
iostat.sh Package: sysstat Package: sysstat Package: sysstat Package: iostat Package: sysstat Package: sysstat Package: sysstat Package: sysstat N/A
lastlog.sh Package: util-linux Package: util-linux Package: util-linux Package: last Package: util-linux Package: util-linux Package: last Package: util-linux Built-in tool: last
lsof.sh Package: lsof Package: lsof Package: lsof Package: lsof Package: lsof Package: lsof Package: lsof Package: lsof Built-in tool: lsof
netstat.sh Package: iproute2 Package: iproute2 Package: iproute2 Package: netstat, ifconfig Package: iproute2 Package: iproute2 Package: netstat, ifconfig Package: iproute2, net-tools Built-in tool: netstat
VsftpdChecker.sh Package: Vsftpd

user needs to have read permission to the /etc/vsftpd/vsftpd.conf file.		 Package: Vsftpd

user needs to have read permission to the /etc/vsftpd/vsftpd.conf file.		 Package: Vsftpd

user needs to have read permission to the /etc/vsftpd/vsftpd.conf file.		 Package: Vsftpd

user needs to have read permission to the /etc/vsftpd/vsftpd.conf file.		 Package: Vsftpd

user needs to have read permission to the /etc/vsftpd/vsftpd.conf file.		 Package: Vsftpd

user needs to have read permission to the /etc/vsftpd/vsftpd.conf file.		 Package: Vsftpd

user needs to have read permission to the /etc/vsftpd/vsftpd.conf file.		 Package: Vsftpd

user needs to have read permission to the /etc/vsftpd/vsftpd.conf file.		 Package: Vsftpd

grant read permission for /usr/local/etc/vsftpd.conf
SshdChecker.sh Grant permissions for /etc/ssh/sshd_config Grant permissions for /etc/ssh/sshd_config Grant permissions for /etc/ssh/sshd_config Grant permissions for /etc/ssh/sshd_config Grant permissions for /etc/ssh/sshd_config Grant permissions for /etc/ssh/sshd_config Grant permissions for /etc/ssh/sshd_config Grant permissions for /etc/ssh/sshd_config NA
bandwidth.sh Package: sysstat Package: sysstat Package: sysstat Package: sysstat Package: sysstat Package: sysstat Package: sysstat Package: sysstat NA
df.sh Package: coreutils Package: coreutils Package: coreutils Package: df Package: coreutils Package: coreutils Package: df Package: coreutils Built-in tools: df, mount
hardware.sh Package: coreutils, net-tools, lshw Package: coreutils, lshw Package: coreutils, lshw Package: sysctl, df, ifconfig, dmesg, top Package: iproute2, net-tools, lshw Package: iproute2, net-tools, lshw Package: mpstat, iostat, dmesg, ifconfig Package: iproute2, net-tools, lshw Built-in tools: df, sysctl, system_profiler, ifconfig
interface.sh Package: iproute2, net-tools Package: iproute2, net-tools Package: iproute2, net-tools Package: ifconfig, netstat Package: iproute2, net-tools Package: iproute2, net-tools Package: ifconfig, netstat Package: iproute2, net-tools Built-in tools: netstat, ifconfig
nfsiostat.sh Package: nfs-common Package: nfs-utils Package: nfs-utils NA Package: nfs-utils Package: nfs-utils NA Package: nfs-utils NA
service.sh Install chkconfig and use systemctl Install chkconfig Install chkconfig NA Install chkconfig Install chkconfig NA Install chkconfig and use systemctl Built-in tools: date, defaults, dscl, find, ls
time.sh Package: ntpdate, date, or chronyc Package: ntpdate, date, or chronyc Package: ntpdate, date, or chronyc Package: ntpdate, date Package: ntpdate, date, or chronyc Package: ntpdate, date, or chronyc Package: ntpdate, date Package: ntpdate, date, or chronyc Install: date, ntpdate or sntp or chronyc
top.sh Package: procps-ng Package: procps-ng Package: procps-ng Package: prstat Package: procps-ng Package: procps-ng Package: prstat Package: procps-ng Built-in tool: top
version.sh Package: coreutils, util-linux Package: coreutils, util-linux Package: coreutils, util-linux Commands: date, uname Package: coreutils, util-linux Package: coreutils, util-linux Commands: date, uname Package: coreutils, util-linux Commands: sw_vers and oslevel
vmstat.sh Package name: procps-ng and sysstat. Package name: procps-ng and sysstat. Package name: procps-ng and sysstat. Package name: sysctl, vmstat and top Package name: procps-ng and sysstat. Package name: procps-ng and sysstat. Package name: vmstat, prstat Package name: procps-ng and sysstat. NA
rlog.sh Package name: auditd

If you want to collect data for rlog, you need to grant the necessary permissions for the /var/log/audit/audit.log.

If you are using a non-root user, data will be collected, but an error will appear in splunkd. To collect data without errors, use root user.		 Package name: auditd

If you want to collect data for rlog, you need to grant the necessary permissions for the /var/log/audit/audit.log.

If you are using a non-root user, data will be collected, but an error will appear in splunkd. To collect data without errors, use root user.		 Package name: auditd

If you want to collect data for rlog, you need to grant the necessary permissions for the /var/log/audit/audit.log.

If you are using a non-root user, data will be collected, but an error will appear in splunkd. To collect data without errors, use root user.		 NA Package name: auditd

If you want to collect data for rlog, you need to grant the necessary permissions for the /var/log/audit/audit.log.

If you are using a non-root user, data will be collected, but an error will appear in splunkd. To collect data without errors, use root user.		 Package name: auditd

If you want to collect data for rlog, you need to grant the necessary permissions for the /var/log/audit/audit.log.		 NA Package name: auditd

If you want to collect data for rlog, you need to grant the necessary permissions for the /var/log/audit/audit.log.

If you are using a non-root user, data will be collected, but an error will appear in splunkd. To collect data without errors, use root user.		 NA

Splunk admin requirements

To install and configure the Splunk Add-on for Unix and Linux, you must be a member of the admin role or if you are a member of the sc_admin role then you need to provide the capabilities edit_monitor and edit_scripted to the user/role.

Splunk platform requirements

Because this add-on runs on the Splunk platform, all of the system requirements apply for the Splunk software that you use to run this add-on.

  • For Splunk Enterprise system requirements, see System Requirements in the Splunk Enterprise Installation Manual.
  • If you are managing on-premises forwarders to get data into Splunk Cloud, see System Requirements in the Splunk Enterprise Installation Manual, which includes information about forwarders.

For information about installation locations and environments, see Install the Splunk Add-on for Unix and Linux.

Installation and configuration overview for the Splunk Add-on for Unix and Linux

Complete the following steps to install and configure this add-on:

  1. If you are upgrading from a previous version, perform the prerequisite upgrade the Splunk Add-on for Unix and Linux steps.
  2. Install the Splunk Add-on for Unix and Linux.
  3. Enable data and scripted inputs for the Splunk Add-on for Unix and Linux.

Ended: Overview

Installation

Install the Splunk Add-on for Unix and Linux

You can install the Splunk Add-on for Unix and Linux with Splunk Web or from the command line. You can install the add-on onto any type of Splunk Enterprise or Splunk Cloud Platform instance.

  1. Get the Splunk Add-on for Unix and Linux by downloading it from https://splunkbase.splunk.com/app/833 or browsing to it using the app browser within Splunk Web.
  2. Determine where and how to install this add-on in your deployment, using the tables on this page.
  3. Perform any prerequisite steps before installing, if required and specified in the tables on this page.
  4. Complete your installation.

For add-on version 8.8.0 and up, there is a new eventtype named nix_ta_custom_eventtype. Users can update this eventtype to include their required events. After updating the definition of this eventtype, the required events will be made available to the predefined eventtypes written in the add-on. See Define event types in Splunk Web.

For example, if you want to add a custom sourcetype xyz to addon’s eventtypes, set following value:

[nix_ta_custom_eventtype] search = sourcetype = “xyz”

If you need step-by-step instructions on how to install an add-on in your specific deployment environment, see the Installation walkthroughs section at the bottom of this page for links to installation instructions specific to a single-instance deployment, distributed deployment, or Splunk Cloud Platform.

Distributed deployment

Use the tables on this page to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise or any deployment for which you are using forwarders to get your data in. Depending on your environment, your preferences, and the requirements of the add-on, you may need to install the add-on in multiple places.

Where to install this add-on

All supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.

This table provides a reference for installing this specific add-on to a distributed deployment of the Splunk platform:

Splunk platform instance type Supported Required Comments
Search heads Yes Yes Install this add-on to all search heads where Unix or Linux knowledge management is required. As a best practice, turn add-on visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of or in addition to your data collection node.
Indexers Yes Conditional Not required if you use heavy forwarders to collect data. Required if you use universal forwarders to collect data.
Heavy forwarders Yes See comments This add-on supports forwarders of any type for data collection. The host must run a supported version of _nix.
Universal forwarders Yes See comments This add-on supports forwarders of any type for data collection. The host must run a supported version of _nix.

Distributed deployment feature compatibility

This table describes the compatibility of this add-on with Splunk distributed deployment features:

Distributed deployment feature Supported Comments
Search head clusters Yes Disable add-on visibility on search heads.
Indexer clusters Yes To get data from an indexer cluster member, install the add-on into that member.
Deployment server Yes Supported for deploying the configured add-on to multiple nodes.

Installation walkthroughs

The Splunk Add-Ons manual includes an Installing add-ons guide that helps you successfully install any Splunk-supported add-on to your Splunk platform.

For a walkthrough of the installation procedure, follow the link that matches your deployment scenario:

Upgrade the Splunk Add-on for Unix and Linux

Upgrade from version 8.7.0 to version 8.8.0

See the following steps to upgrade from version 8.7.0 to version 8.8.0 of the Splunk Add-on for Unix and Linux:

Limiting event types

Before add-on v8.8.0, a given event type covered a broader set of events. For example, the [failed_login] event type was defined as:

[failed_login] search = (NOT sourcetype=stash) “failed login” OR “FAILED LOGIN” OR “Authentication failure” OR “Failed to authenticate user” OR “authentication ERROR” OR “Failed password for”.

Similar event type regexes have been filtered to match only the required data for the add-on.

It is possible that events which were previously matched by event types will no longer be matched after upgrading to v8.8.0.

To solve this, we have introduced a new event type named nix_ta_custom_eventtype. Update this event type to include required events.

To update the event type from Splunk web, see Update an event type in settings in the Splunk Cloud Platform manual.

For example, to add a custom sourcetype “xyz” to the add-on’s event types, set the following value:

[nix_ta_custom_eventtype] search = sourcetype = “xyz”

Upgrade from version 8.6.0 to version 8.7.0

Upgrade from version 8.6.0 to version 8.7.0 of the Splunk Add-on for Unix and Linux is seamless. There are no additional steps required for this version upgrade. See Install the Splunk Add-on for Unix and Linux in this manual.

Use the installation steps in this manual to upgrade from versions 7.0 and above to the latest version of this add-on.

Before upgrading to the Splunk Add-on for Unix and Linux versions 8.1.0 and higher, verify that you have the bash shell installed on your system. If the bash shell is not installed, the lsof and package inputs will not work.

Ended: Installation

Configuration

Enable data and scripted inputs for the Splunk Add-on for Unix and Linux

After you have installed the Splunk Add-on for Unix and Linux, you must enable the data and scripted inputs within the add-on so that it collects data from your data collection nodes.

The Splunk Add-on for Unix and Linux has a configuration page which lets you enable the inputs from within Splunk Web. This page is only available on Heavy Forwarders and full instances of Splunk Enterprise. Use this option when you are collecting data from a server with a full instance of Splunk Enterprise installed.

On a Universal Forwarder, you must enable the inputs using the configuration files.

Verify that you have execute rights for the bin folder. The scripts will display permission denied in the splunkd.log if you don’t. Splunk must be installed and executed as root user for this Add-on to work properly.

See the Scripted input reference for the Splunk Add-on for Unix and Linux page in this manual for more information.

Collect statistical data from metrics indexes

Versions 7.2 and later of the Splunk platform support metric index data collection.

Create a metric index for each supported source type for which you would like to collect data. The Splunk Add-on for Unix and Linux supports metric index data collection for the following source types:

  • cpu_metric
  • df_metric
  • interfaces_metric
  • iostat_metric
  • ps_metric
  • vmstat_metric

Enable the data and scripted inputs from within Splunk Web

When you configure the add-on from within Splunk Web, the configuration page has into three sections: The File and Directory Inputs section, the Scripted Metric Input section and the Scripted Event Inputs section.

  1. Log into the Splunk Enterprise instance installed on the server from which you want to collect data.
  2. Activate the Splunk Add-on for Unix and Linux. Locate the Splunk Add-on for Unix and Linux on the Apps page, and click the Set up link in the row for the Splunk Add-on for Unix and Linux.
  3. In the File and Directory Inputs section of the configuration page, click the radio buttons below Enable or Disable to enable or disable the input for the specified file or directory. You can also click the (All) link next to either Enable or Disable to enable all of the displayed inputs.
  4. In the Scripted Metric Inputs section, click the radio buttons below Enable or Disable to enable or disable the input for the specified script (as shown under Name.) You can also click the (All) link next to Enable or Disable to enable or disable all of the displayed scripted metric inputs.
  5. Set the index for a metric input by selecting the metric index from the Index selection dropdown. Metric Index is mandatory when configuring the metric input.
  6. In the Scripted Event Inputs section, click the radio buttons below Enable or Disable to enable or disable the input for the specified script (as shown under Name.) You can also click the (All) link next to Enable or Disable to enable or disable all of the displayed scripted event inputs.
  7. (Optional) Set the interval for a script by entering a positive number in the Interval text box for each script. For example, if you want the cpu.sh script to run once an hour, type in 3600 in the “Interval” text box for cpu.sh.
  8. Click Save.

Enable the data and scripted inputs with configuration files

When you configure data and scripted inputs using configuration files, copy only the input stanzas whose configurations you want to change. Do not copy the entire file, as those changes persist even after an upgrade.

  1. Create inputs.conf in the SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf directory for editing.

  2. Open SPLUNK_HOME/etc/apps/Splunk_TA_nix/default/inputs.conf file and paste them into the SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf file, enable the inputs that you want the add-on to monitor by setting the disabled attribute for each input stanza to 0.

  3. For any metric input, after enabling the metric input in the SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf file, configure and index for the enabled input by setting the index attribute before each metric input stanza to a desired index name.

  4. Save the SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf file.

  5. Restart the Splunk instance.

Enable data and scripted inputs with the command line

To configure inputs using the command line interface (CLI). Use the following steps:

  1. Navigate to $SPLUNK_HOME/bin/.
  2. To enable all inputs, except metric inputs, enter the following command: ./splunk cmd sh $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/setup.sh –enable-all
  3. To enable all inputs, including metric inputs, enter the following command: ./splunk cmd sh /opt/splunk/etc/apps/Splunk_TA_nix/bin/setup.sh –enable-all –metric-index
  4. To list all inputs, enter the following command: ./splunk cmd sh $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/setup.sh –list-all
  5. To identify other commands, enter the following command: ./splunk cmd sh $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/setup.sh –usage OR ./splunk cmd sh $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin/setup.sh –help
  6. Restart the Splunk platform.

Configuration of file monitoring input for AIX

You must monitor the following files and directories and assign corresponding sourcetypes in AIX in order to utilize CIM mappings and field extractions.

File Name Sourcetype
/var/adm/auth.log or path to security logs aix_secure
/var/adm/messages or path to system logs syslog

Ended: Configuration

Troubleshooting

Troubleshoot the Splunk Add-on for Unix and Linux

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Events not getting tagged to the desired event type after upgrading to version 8.8.0

See Upgrade the Splunk Add-on for Unix and Linux.

Errors seen in splunkd for rlog.sh script

Error parsing start date (MM/DD/YYYY)

Locales other than en_US.UTF-8 are currently not supported by the rlog.sh script. If you are using locales other than en_US.UTF-8 you will have to use the locale as en_US.UTF-8 or its equivalent depending on your country.

Errors seen in output of Update.sh script

2021-12-23 06:50:15,873 [ERROR] yum:13717:MainThread @logutil.py:194 - [Errno 13] Permission denied: ‘/var/log/rhsm/rhsm.log’ - Further logging output will be written to stderr

2021-12-23 06:50:15,875 [ERROR] yum:13717:MainThread @identity.py:156 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 13] Permission denied: ‘/etc/pki/consumer/key.pem’

If you see errors similar or same as above errors, then provide the necessary permissions for the user running splunkd to read those files.

sshdChecker.sh and vsftpdChecker.sh scripted inputs giving some file permission errors

If you see file permission errors for the files ‘sshd_config’ (for sshdChecker.sh) and ‘vsftpd.conf’ (for vsftpdChecker.sh), then please provide the necessary permissions for the user running splunkd to read those files.

Missing data from scripts

If data is missing from the script output, you can run the scripts in debug mode and use the additional information to look for the cause of the missing data.

  1. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin.
  2. Run sh –debug to run the script in debug mode.
  3. The debug output is saved in debug––. This file contains the command that was executed, and its output or the failure reason. Use this information to resolve the missing data issue.

Unexpected values for cpu_load_percent and cpu_user_percent fields

The Splunk Add-on for Unix and Linux version 6.0.1 enhanced field extraction for the sourcetype cpu by extracting cpu_user_percent and cpu_load_percent fields for specific core numbers as well as for all instances. To query across all, which is what previous versions of the add-on do, use cpu=all. To query for a specific core number, include the number in your query, such as cpu=1.

Multiple events in package source type

In the packagesourcetype of the Splunk Add-on for Unix and Linux version 6.0.1, all installed software packages are listed in one event, and there are no field extractions. In version 6.0.2 of the Splunk Add-on for Unix and Linux, events are divided into separate events per software package, and fields are extracted automatically for each event. This also applies to existing events.

Make CPU core statistics info in FreeBSD OS similar to other supported OS configurations

In version 6.0.1 of the Splunk Add-on for Unix and Linux 6.0.1, the cpu sourcetype for FreeBSD OS has CPU statistics for all cores as a single event, whereas for other OS configurations, there are separate events for separate cores as well as single event for all cores. In version 6.0.2 of the Splunk Add-on for Unix and Linux, cpu.sh script output data for FreeBSD OS is consistent with other OS configurations.

Not getting data from nfsiostat scripts

See Missing data from scripts to check the script behavior in debug mode.

If the output of script file in debug mode is “Not found command nfsiostat on this host,” then install the nfsutils package. If data is not indexed after installing this package, then check the script in debug mode again. If the output is “No NFS mount points were found,” then the NFS file system is missing. You need to set up NFS mount to get this data into your Splunk platform deployment.

COMMAND field is truncated in the data collected from ps.sh scripted input

If your environment contains any commands longer than 100 characters, perform the following steps to extend your deployment’s maximum command length:

  1. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_nix/bin.
  2. Open a CLI and enter vi ps.sh
  3. Navigate to to line 21, and change %-100.100s to a command length that fits your environment. For example, %-200.200s.
  4. Save your changes.

LC_CTYPE error for rlog.sh input

If you receive the error “locale: Cannot set LC_ALL to default locale: No such file or directory, verify the following:

If you are connecting to a Linux or Unix machine using a Mac OS Terminal, verify that the locale set is the same for both operating system (OS) platforms. If the locale sets do not match, sync them, using the commands specific to your OS platform. As a best practice, keep LANG=“en_US.UTF-8”. Alternate values are supported, as long as the values are the same for your remote machine and the machine from which you are logging in.

Scripted input not working due to insufficient permissions

Verify that you have execute rights for the bin folder. The scripts will display permission denied in the splunkd.log if you don’t. Splunk must be installed and executed as root user for this Add-on to work properly.

Ended: Troubleshooting

Reference

Lookups for the Splunk Add-on for Unix and Linux

The Splunk Add-on for Unix and Linux contains the following lookup files:

File Name Description
nix_da_update_status.csv Maps sourcetypes to required update status.
nix_da_version_ranges.csv Maps sourcetypes to OS-provided version information.
nix_endpoint_change_vendor_action.csv Maps actions for Windows registry and file system change notifications.
nix_fs_notification_change_type.csv Maps sourcetypes and change types for file system change notifications.
nix_linux_audit_action_object_category.csv Maps operations (op) to category and action for Linux audit logs.
nix_object_category.csv Maps object and object_category for Windows registry and file system change notifications.
nix_status.csv Maps status id and status for Windows registry and file system change notifications.
nix_user_types.csv Maps sourcetypes and user types for Windows registry and file system change notifications.
nix_vendor_actions.csv Maps vendor_action and action for security logs.

Scripted input reference for the Splunk Add-on for Unix and Linux

See the following information about scripted inputs for the Splunk Add-on for Unix and Linux.

Script compatibility

Script RHEL 7.4 RHEL 7.8 RHEL
8/ 8.2/ 8.3/ 8.4/
8.5/ 8.6/ 8.7		 RHEL 9/
9.2		 Ubuntu 16.04 Ubuntu
18.04 / 22.04		 SLES 15.5 OEL 8.9 Rocky 9.5 AlmaLinux 9.5 Solaris 10 Solaris 11.3/
11.4		 AIX 7.2/
7.3		 FreeBSD 13.3 Mac OS X
13.6 / 14.5
bandwidth.sh Y Y Y Y Y Y Y Y Y Y Y1 Y2 Y N3 N3
common.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
cpu.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
cpu_metric.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
df.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
df_metric.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
hardware.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
interfaces.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
interfaces_metric.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
iostat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
iostat_metric.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
lastlog.sh Y Y Y Y Y Y Y Y Y Y Y Y N Y Y
lsof.sh Y14 Y14 Y14 Y14 Y14 Y14 Y14 Y14 Y14 Y14 N N N Y14 Y14
netstat.sh Y Y Y Y Y Y Y Y Y Y N N N N Y
nfsiostat.sh12 Y Y Y Y Y Y Y Y Y Y N N N N N
openPorts.sh Y5 Y5 Y5 Y5 Y Y Y Y Y Y5 Y5 Y Y Y
openPortsEnhanced.sh Y Y Y Y Y Y Y Y Y Y Y Y N N Y
package.sh Y14 Y14 Y14 Y14 Y14 Y14 Y14 Y14 Y14 Y14 Y14 Y14 Y6, 14, 16 Y14, 16 Y14
passwd.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
protocol.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y
ps.sh Y Y Y Y Y Y Y Y Y Y Y Y Y7 Y
ps_metric.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y7 Y
rlog.sh Y8 Y8 Y8 Y8 Y Y Y8 Y Y Y N N N N N
selinuxChecker.sh Y Y Y Y N Y Y Y Y Y N N N N N
service.sh Y Y Y N10 Y Y Y Y Y Y Y Y N N Y
sshdChecker.sh Y Y Y Y Y Y Y Y Y Y Y Y N N N
time.sh Y Y11 Y11 Y11 Y Y Y Y Y Y Y Y Y11 Y Y
top.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
update.sh Y Y Y Y Y Y Y Y Y Y N N N N Y
uptime.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
usersWithLoginPrivs.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
version.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
vmstat.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y N
vmstat_metric.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y N
vsftpdChecker.sh Y15 Y15 Y15 Y15 Y15 Y15 Y15 Y15 Y15 Y15 Y15 Y15 Y15 Y15 Y15
who.sh Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y

Notes

  1. Supported, requires netstat -i. The fields rxKB_PS and txKB_PS are set to because netstat on Solaris 10 and 11 does not provide this information.
  2. Supported, requires dlstat.
  3. Not supported, sar is not available.
  4. Not supported, /bin/darwin_disk_stats is not available.
  5. Supported, script indexes Header information as an extra event.
  6. Supported. pkg_info is deprecated, and pkg info is being used.
  7. Supported, COMMAND field value is truncated.
  8. Supported, error log messages are included. Not supported for RHEL/CentOS version 7.3.
  9. Supported, requires ausearch.
  10. Not supported, chkconfig is not available.
  11. Supported, requires ntpdate or chrony for RHEL version 8.
  12. Supported with only Linux OS configurations, requires the nfs-utils package.
  13. Only FreeNAS 11.3U1 is supported.
  14. Bash shell is required to run the script. Install the bash package for the input.
  15. Requires vsftpd package.
  16. Data for Name,Version and Architecture of the package will be ingested by the Splunk software.

Robust implementation of scripts for Splunk Add-on for Unix and Linux

Version 8.9.0

As part of version 8.9.0 of the Splunk Add-on for Unix and Linux, we updated the implementation of cpu scripts to make it more robust and to work more efficiently for the AIX operating system.

Changes made as part of cpu scripts

The tables below show field names extracted for cpu scripts. It lists the normalized field names which the cpu scripts previously output before version 8.9.0 and also displays the new ‘raw’ field names output starting with version 8.9.0. We’ve also maintained a backward compatibility of the older fields along with adding the new fields from the raw output.

Table for cpu scripts

cpu.sh
Fields in old script’s output Equivalent fields in new script’s output for AIX OS
CPU cpu
pctUser us
pctSystem sy
pctIowait wa
pctIdle id
cpu_metric.sh
Fields in old script’s output Equivalent fields in new script’s output for AIX OS
metric_name:cpu_metric.pctUser metric_name:cpu_metric.us
metric_name:cpu_metric.pctSystem metric_name:cpu_metric.sy
metric_name:cpu_metric.pctIowait metric_name:cpu_metric.wa
metric_name:cpu_metric.pctIdle metric_name:cpu_metric.id

Version 8.7.0

As part of version 8.7.0 of the Splunk Add-on for Unix and Linux, we updated the implementation of ps, interfaces and df scripts to make them more robust and to work more efficiently across all supported operating systems.

Changes made as part of ps and df scripts

The tables below show field names extracted for ps and df scripts. It lists the normalized field names which the ps and df scripts previously output before version 8.7.0 and also displays the new ‘raw’ field names output starting with version 8.7.0. We’ve also maintained a backward compatibility of the older fields along with adding the new fields from the raw output.

Tables for ps scripts

ps.sh
Fields in old script’s output Equivalent fields in new script’s output for Linux Kernel OSs
CPUTIME TIME
RSZ_KB RSS
S STAT
TTY TTY
VSZ_KB VSZ
pctCPU CPU
pctMEM MEM
ps_metric.sh
Fields in Old script’s output Equivalent fields in new script’s output for all supported Kernels
metric_name:ps_metric.RSZ_KB metric_name:ps_metric.RSS
metric_name:ps_metric.VSZ_KB metric_name:ps_metric.VSZ
metric_name:ps_metric.pctCPU metric_name:ps_metric.CPU
metric_name:ps_metric.pctMEM metric_name:ps_metric.MEM

For ps and ps_metric scripts, ELAPSED and PSR were removed from kernel outputs except for AIX and SunOS as part of v8.7.0.

For the USER field in ps scripts, the add-on previously removed the preceding underscore (if any) from the value and then ingested the field. From v8.7.0 onwards, the add-on will be ingesting the value of the field as it is. If this field is used by any of your applications or use cases, Splunk best practice is to update them accordingly.

Tables for df scripts

df.sh
Fields in old script’s output Equivalent fields in new script’s output for Linux Kernel OSs
Size Size
Avail Avail
UsePct Use_
INodes Inodes
IUsed IUsed
IFree IFree
IUsePct IUse_
df_metric.sh
Fields in Old script’s output Equivalent fields in new script’s output for Linux Kernel OSs
metric_name:df_metric:Size metric_name:df_metric:1K-blocks
metric_name:df_metric:Avail metric_name:df_metric:Avail
metric_name:df_metric:UsePct metric_name:df_metric:Use
metric_name:df_metric:INodes metric_name:df_metric:Inodes
metric_name:df_metric:IUsed metric_name:df_metric:IUsed
metric_name:df_metric:IFree metric_name:df_metric:IFree
metric_name:df_metric:IUsePct metric_name:df_metric:IUse
metric_name:df_metric:Used metric_name:df_metric:Used
metric_name:df_metric:Size_KB metric_name:df_metric:1K-blocks
metric_name:df_metric:Avail_KB metric_name:df_metric:Avail

Changes made as part of interfaces scripts

We have made the interfaces scripts less error prone in case the output of the raw command changes. No new fields were added for interfaces scripts as part of v8.7.0

Version 8.6.0

As part of version 8.6.0 of the Splunk Add-on for Unix and Linux, we updated the implementation of iostat scripts to make them more robust and to work more efficiently across all supported operating systems.

The most significant change is in regards to field extractions; Splunk best practice is now to extract data into both the raw field names output by the iostat command as well as the normalized field names that the add-on previously used. This enables you to build Splunk content (searches, reports, dashboards, etc) and leverage all the data points produced by the iostat command.

The table below shows an example of field names extracted on Ubuntu OS. It lists the normalized field names which the iostat script previously displayed before version 8.6.0 and also displays the new ‘raw’ field names output starting with version 8.6.0. Splunk maintains backward compatibility of existing content as older fields are extracted, but Splunk best practice is to update content to use the new field names.

Old field extraction names New field extraction names
rReq_PS r_s
rKB_PS rkB_s
rrqmPct rrqm
rAvgReqSZkb rareq_sz
rAvgWaitMillis r_await
wReq_PS w/s
wKB_PS wKB_s
wrqmPct wrqm
wAvgWaitMilli w_await
wAvgReqSZkb wareq_sz
avgQueueSZ aqu_sz
bandwUtilPct util
avgSvcMillis svctm
avgWaitMillis await

The following table provides the Search time performance metric for Unix and Linux TA version 10.0.0, where

  • total ingested events = 35M
  • Machine Specifications = m5.large (2 vCPUs, 8.0 GiB of memory and up to 10 Gibps of bandwidth)
Sourcetype Search Query Event count Search Time in Seconds
Linux:SELinuxConfig index=main spurcetype=Linux:SELinuxConfig 1000000 27.149
Unix:ListeningPorts index=main spurcetype=Unix:ListeningPorts 1000000 27.829
Unix:SSHDConfig index=main spurcetype=Unix:SSHDConfig 1000000 28.1195
Unix:Service index=main spurcetype=Unix:Service 1000000 28.7235
Unix:Update index=main spurcetype=Unix:Update 1000000 29.0225
Unix:Uptime index=main spurcetype=Unix:Uptime 1000000 26.185
Unix:UserAccounts index=main spurcetype=Unix:UserAccounts 1000000 31.4405
Unix:VSFTPDConfig index=main spurcetype=Unix:VSFTPDConfig 1000000 30.285
Unix:Version index=main spurcetype=Unix:Version 1000000 34.8225
aix_secure index=main spurcetype=aix_secure 1000000 48.667
auditd index=main spurcetype=auditd 1000000 45.6775
bandwidth index=main spurcetype=bandwidth 1000000 32.818
cpu index=main spurcetype=cpu 1000000 43.0995
df index=main spurcetype=df 1000000 49.058
dhcpd index=main spurcetype=dhcpd 1000000 75.419
hardware index=main spurcetype=hardware 1000000 45.0395
interfaces index=main spurcetype=interfaces 1000000 44.868
iostat index=main spurcetype=iostat 1000000 61.5745
lastlog index=main spurcetype=lastlog 1000000 30.6895
linux_audit index=main spurcetype=linux_audit 1000000 46.4935
linux_secure index=main spurcetype=linux_secure 1000000 61.401
lsof index=main spurcetype=lsof 1000000 35.1035
netstat index=main spurcetype=netstat 1000000 41.1655
nfsiostat index=main spurcetype=nfsiostat 1000000 37.9745
openPorts index=main spurcetype=openPorts 1000000 26.067
package index=main spurcetype=package 1000000 33.6925
protocol index=main spurcetype=protocol 1000000 35.889
ps index=main spurcetype=ps 1000000 51.4015
syslog index=main spurcetype=syslog 1000000 57.361
time index=main spurcetype=time 1000000 32.249
top index=main spurcetype=top 1000000 34.978
usersWithLoginPrivs index=main spurcetype=usersWithLoginPrivs 1000000 27.7015
vmstat index=main spurcetype=vmstat 1000000 56.173
who index=main spurcetype=who 1000000 28.9615

Ended: Reference