Use ip command to determine IP address ('hostname -I' does not work on all Linux systems)

Filter out multiple listing of the same btrfs volume
Use mktemp for temp files (for times when the TA may be run outside of Splunk)
If running rlog.sh outside of Splunk, use $HOME to store seek file
Debian also uses apt
Arch Linux uses pacman
Add use of sudo -n for 'apt update' and 'pacman -Syy'
vmstat uses "K paged out"
Replace the use of 'sar' with netstat and vm_stat for MacOS

VERSION

@@ -1,2 +1,2 @@
-9.2.0
-9.2.0
+9.2.0.1
+9.2.0.1

app.manifest

@@ -4,9 +4,9 @@
     "info": {
         "author": [
             {
-                "company": "Splunk, Inc.",
-                "email": "support@splunk.com",
-                "name": "Splunk, Inc."
+                "company": "erdelynet.com",
+                "email": "mike@erdelynet.com",
+                "name": "erdelynet.com"
             }
         ],
         "classification": {
@@ -25,11 +25,11 @@
             "Network Sessions": "=4.20.2",
             "Performance": "=4.20.2"
         },
-        "description": "Splunk Add-on for Unix and Linux",
+        "description": "Technical Add-on for Unix and Linux",
         "id": {
             "group": null,
-            "name": "Splunk_TA_nix",
-            "version": "9.2.0"
+            "name": "TA-nix",
+            "version": "9.2.0.1"
         },
         "license": {
             "name": "Splunk Software License Agreement",
@@ -45,9 +45,9 @@
         "releaseNotes": {
             "name": "README",
             "text": "./README.txt",
-            "uri": "https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Releasenotes"
+            "uri": "https://git.erdelynet.com/mike/TA-nix/docs/ReleaseNotes.md"
         },
-        "title": "Splunk Add-on for Unix and Linux"
+        "title": "Technical Add-on for Unix and Linux"
     },
     "inputGroups": null,
     "platformRequirements": null,
@@ -63,4 +63,4 @@
         "_indexers"
     ],
     "tasks": null
-}
+}

bin/bandwidth.sh

@@ -66,11 +66,11 @@ elif [ "$KERNEL" = "AIX" ] ; then
     # shellcheck disable=SC2016
     FORMAT='{Name=$1; rxPackets_PS=$5; txPackets_PS=$7; rxKB_PS="?"; txKB_PS="?"}'
 elif [ "$KERNEL" = "Darwin" ] ; then
-    CMD='sar -n DEV 1 2'
+    CMD='eval ifconfig -a -u | awk "/^[^ \t]/{i=substr(\$1,1,length(\$1)-1)}/status: active/{print i}" | while read -r int; do netstat -bnI $int -w 1 | head -n3 | sed "s/^/$int/"; done'
     # shellcheck disable=SC2016
-    FILTER='($0 !~ "Average" || $0 ~ "sar" || $2~/lo[0-9]|IFACE/) {next}'
+    FILTER='$2~/^(input|packets)$/{next}'
     # shellcheck disable=SC2016
-    FORMAT='{Name=$2; rxPackets_PS=$3; txPackets_PS=$5; rxKB_PS=$4/1024; txKB_PS=$6/1024}'
+    FORMAT='{Name=$1; rxPackets_PS=$2; txPackets_PS=$5; rxKB_PS=$4/1024; txKB_PS=$7/1024}'
 elif [ "$KERNEL" = "HP-UX" ] ; then
     # Sample output: http://h20565.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02263324
     CMD='netstat -i 1 2'

bin/cpu_metric.sh

@@ -16,9 +16,9 @@ if [ "$KERNEL" = "Linux" ] ; then
     queryHaveCommand mpstat
     FOUND_MPSTAT=$?
     if [ ! -f "/etc/os-release" ] ; then
-        DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\  -f1)"
+        DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}')"
     else
-        DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\  -f1)"
+        DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}')"
     fi
     if [ $FOUND_SAR -eq 0 ] ; then
         CMD='sar -P ALL 1 1'

bin/df.sh

@@ -12,6 +12,8 @@ if [ "$KERNEL" = "Linux" ] ; then
 	# shellcheck disable=SC2016
 	BEGIN='BEGIN { OFS = "\t" }'
 	# shellcheck disable=SC2016
+	FILTER_PRE='$2=="btrfs"&&btrfs[$1]==1{next}$2=="btrfs"{btrfs[$1]=1}'
+	# shellcheck disable=SC2016
 	FILTER_POST='/(devtmpfs|tmpfs)/ {next}'
 	# shellcheck disable=SC2016
 	PRINTF='

bin/df_metric.sh

@@ -13,12 +13,14 @@ if [ "$KERNEL" = "Linux" ] ; then
     assertHaveCommand df
     CMD='df -k --output=source,fstype,size,used,avail,pcent,itotal,iused,iavail,ipcent,target'
     if [ ! -f "/etc/os-release" ] ; then
-        DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\  -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
+        DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
     else
-        DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\  -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
+        DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
     fi
     BEGIN='BEGIN { OFS = "\t" }'
     FORMAT='{OSName=OSName;OS_version=OS_version;IP_address=IP_address;IPv6_Address=IPv6_Address}'
+	# shellcheck disable=SC2016
+	FILTER_PRE='$2=="btrfs"&&btrfs[$1]==1{next}$2=="btrfs"{btrfs[$1]=1}'
 	# shellcheck disable=SC2016
 	FILTER_POST='/(devtmpfs|tmpfs)/ {next}'
     # shellcheck disable=SC2016

bin/hardware.sh

@@ -9,7 +9,7 @@ FORMAT='{key = $1; if (NF == 1) {value = "<notAvailable>"} else {value = $2; for
 PRINTF='{printf("%-20s  %-s\n", key, value)}'
 
 if [ "$KERNEL" = "Linux" ] ; then
-	TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_hardware_error_tmpfile # For filtering out lshw warning from stderr
+	TMP_ERROR_FILTER_FILE=$(mktemp) # For filtering out lshw warning from stderr
 	queryHaveCommand ip
 	FOUND_IP=$?
 	# CPUs

bin/interfaces_metric.sh

@@ -18,9 +18,9 @@ if [ "$KERNEL" = "Linux" ] ; then
 	queryHaveCommand ip
 	FOUND_IP=$?
 	if [ ! -f "/etc/os-release" ] ; then
-        DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\  -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
+        DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
     else
-        DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\  -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
+        DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
     fi
 	if [ $FOUND_IP -eq 0 ]; then
 		CMD_LIST_INTERFACES="eval ip -s a | tee $TEE_DEST|grep 'state UP' | grep mtu | grep -Ev lo | tee -a $TEE_DEST | cut -d':' -f2 | tee -a $TEE_DEST | cut -d '@' -f 1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"

bin/iostat_metric.sh

@@ -11,9 +11,9 @@ if [ "$KERNEL" = "Linux" ] ; then
 	CMD='iostat -xky 1 1'
 	assertHaveCommand "$CMD"
 	if [ ! -f "/etc/os-release" ] ; then
-        DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\  -f1)"
+        DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}')"
     else
-        DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\  -f1)"
+        DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}')"
     fi
 	FILTER='/Device/ && /r\/s/ && /w\/s/ {f=1;}f'
 	# shellcheck disable=SC2016

bin/ps_metric.sh

@@ -12,9 +12,9 @@ if [ "$KERNEL" = "Linux" -o "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; th
     CMD='ps auxww'
     if [ "$KERNEL" = "Linux" ] ; then
         if [ ! -f "/etc/os-release" ] ; then
-            DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\  -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
+            DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
         else
-            DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\  -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
+            DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
         fi
     elif [ "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; then
         # Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.

bin/rlog.sh

@@ -7,10 +7,16 @@
 # shellcheck disable=SC1091
 . "$(dirname "$0")"/common.sh
 
-OLD_SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seekfile # For handling upgrade scenarios
+if [ -n "$SPLUNK_DB" ]; then
+  OLD_SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seekfile # For handling upgrade scenarios
+  SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seektime
+else
+  # handle the case where this is not being run by the Splunk user from Splunk
+  OLD_SEEK_FILE=$HOME/.splunk_unix_audit_seekfile # For handling upgrade scenarios
+  SEEK_FILE=$HOME/.splunk_unix_audit_seektime
+fi
 CURRENT_AUDIT_FILE=/var/log/audit/audit.log # For handling upgrade scenarios
-SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seektime
-TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_rlog_error_tmpfile # For filering out "no matches" error from stderr
+TMP_ERROR_FILTER_FILE=$(mktemp) # For filering out "no matches" error from stderr
 AUDIT_FILE="/var/log/audit/audit.log*"
 
 if [ "$KERNEL" = "Linux" ] ; then

bin/selinuxChecker.sh

@@ -5,7 +5,7 @@
 # shellcheck disable=SC1091
 . "$(dirname "$0")"/common.sh
 
-TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_selinux_error_tmpfile # For filtering out awk warning from stderr
+TMP_ERROR_FILTER_FILE=$(mktemp) # For filtering out awk warning from stderr
 PRINTF='END {printf "%s app=selinux %s %s %s %s\n", DATE, FILEHASH, SELINUX, SELINUXTYPE, SETLOCALDEFS}'
 
 if [ "$KERNEL" = "Linux" ] ; then

bin/update.sh

@@ -5,18 +5,21 @@
 # shellcheck disable=SC1091
 . "$(dirname "$0")"/common.sh
 
-TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_update_error_tmpfile # For filering out apt warning from stderr
+TMP_ERROR_FILTER_FILE=$(mktemp) # For filering out apt warning from stderr
 
 if [ "$KERNEL" = "Linux" ] ; then
 	assertHaveCommand date
     OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2)
 	OS_FILE=/etc/os-release
 	# Ubuntu doesn't have yum installed by default hence apt is being used to get the list of upgradable packages
-    if [ "$OSName" = "Ubuntu" ]; then
+    if [ "$OSName" = "Ubuntu" ] || [ "$OSName" = "Debian_GNU/Linux" ]; then
 		assertHaveCommand apt
 		assertHaveCommand sed
+		# For this to work properly, add a line to /etc/sudoers like this:
+		# splunk ALL=(root) NOPASSWD: /usr/bin/apt update
+		# Without the above line, 'apt list --upgradable' will not show updated packages unless the package databases were updated outside of this script
 		# sed command here replaces '/, [, ]' with ' '
-		CMD='eval date ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"'
+		CMD='eval date ; sudo -n apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"'
 		# shellcheck disable=SC2016
 		PARSE_0='NR==1 {DATE=$0}'
 		# shellcheck disable=SC2016
@@ -33,6 +36,18 @@ if [ "$KERNEL" = "Linux" ] ; then
 		# shellcheck disable=SC2016
 		PARSE_2='header_found { gsub(/[[:space:]]*\|[[:space:]]*/, "|"); split($0, arr, /\|/); printf "%s repository=%s package=%s current_package_version=%s latest_package_version=%s sles_architecture=%s\n", DATE, arr[2], arr[3], arr[4], arr[5], arr[6]}'
 		MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2"
+  elif [ "$OSName" = "Arch_Linux" ] || [ "$OSName" = "Arch_Linux_ARM" ]; then
+		assertHaveCommand checkupdates
+		assertHaveCommand sed
+		# For this to work properly, add a line to /etc/sudoers like this:
+		# splunk ALL=(root) NOPASSWD: /usr/bin/pacman -Syy
+		# Without the above line, checkupdates will not show updated packages unless the package databases were updated outside of this script (similar to Debian's apt update)
+		CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; sudo -n pacman -Syy > /dev/null 2>&1 ; eval checkupdates'
+		# shellcheck disable=SC2016
+		PARSE_0='NR==1 {DATE=$0}'
+		PARSE_1='NR==2 {ARCH=$0}'
+		PARSE_2='NR>2 {printf "%s arch_architecture=%s package=%s current_package_version=%s latest_package_version=%s\n", DATE, ARCH, $1, $2, $4}'
+		MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2"
 	else
 		assertHaveCommand yum
 

bin/vmstat.sh

@@ -26,7 +26,7 @@ if [ "$KERNEL" = "Linux" ] ; then
 	# shellcheck disable=SC2016
 	PARSE_1='/total memory$/ {memTotalMB=$1/1024} /free memory$/ {memFreeMB+=$1/1024} /buffer memory$/ {memFreeMB+=$1/1024} /swap cache$/ {memFreeMB+=$1/1024}'
 	# shellcheck disable=SC2016
-	PARSE_2='/pages paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}'
+	PARSE_2='/(K|pages) paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}'
 	# shellcheck disable=SC2016
 	PARSE_3='/interrupts$/ {interrupts=$1} /CPU context switches$/ {cSwitches=$1} /forks$/ {forks=$1}'
 	# shellcheck disable=SC2016
@@ -126,9 +126,9 @@ elif [ "$KERNEL" = "HP-UX" ] ; then
 elif [ "$KERNEL" = "Darwin" ] ; then
 	assertHaveCommand sysctl
 	assertHaveCommand top
-	assertHaveCommand sar
+	assertHaveCommand vm_stat
 	# shellcheck disable=SC2016
-	CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; sar -gp 1 2'
+	CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; vm_stat | awk "/Pageouts:/{print \"pgpageout \" \$NF}/^Swapouts:/{print \"pgswapout \" \$NF}"; vm_stat -c5 1 | tail -n -4 | awk "{pi=pi+\$19;po=po+\$20;si=si+\$21;so=so+\$22}END{printf \"pginps %.2f pgoutps %.2f swinps %.2f swoups %.2f\n\",pi/4,po/4,si/4,so/4}"'
 	FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}'
 	# shellcheck disable=SC2016
 	PARSE_0='/^hw.memsize:/ {memTotalMB=$2 / (1024*1024)}'
@@ -137,24 +137,19 @@ elif [ "$KERNEL" = "Darwin" ] ; then
 	# shellcheck disable=SC2016
 	PARSE_2='/^vm.swapusage:/ {swapUsed=toMB($7); swapFree=toMB($10)}'
 	# shellcheck disable=SC2016
-	PARSE_3='/^VM:/ {pgPageOut=0+$7}'
-	if $OSX_GE_SNOW_LEOPARD; then
-		# shellcheck disable=SC2016
-		PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-1)}'
-	else
-		# shellcheck disable=SC2016
-		PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-2)}'
-	fi
+	PARSE_3='/^pgpageout / {pgPageOut=0+$2}'
+	# shellcheck disable=SC2016
+	PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-1)}'
 	# shellcheck disable=SC2016
 	PARSE_5='/^Load Avg:/ {loadAvg1mi=0+$3}'
 	# shellcheck disable=SC2016
 	PARSE_6='/^CPU_COUNT/ {cpuCount=$2}'
 	# shellcheck disable=SC2016
-	PARSE_7='($0 ~ "Average" && $1 ~ "pgout*") {next} {pgPageOut_PS=$2}'
+	PARSE_7='$1 == "pginps" {pgPageIn_PS=$2;pgPageOut_PS=$4;pgSwapIn=$6;pgSwapOut=$8}'
 	# shellcheck disable=SC2016
-	PARSE_8='($0 ~ "Average" && $1 ~ "pgin*") {next} {pgPageIn_PS=$2}'
+	PARSE_8='/^pgswapout / {pgSwapOut=0+$2}'
 	MASSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8 $DERIVE"
-	FILL_BLANKS='END {pgSwapOut=cSwitches=interrupts=interrupts_PS=forks="?"}'
+	FILL_BLANKS='END {cSwitches=interrupts=interrupts_PS=forks="0"}'
 elif [ "$KERNEL" = "FreeBSD" ] ; then
 	# shellcheck disable=SC2016
 	CMD='eval sysctl hw.physmem ; vmstat -s ; top -Sb 0; `dirname $0`/hardware.sh'

bin/vmstat_metric.sh

@@ -23,16 +23,16 @@ if [ "$KERNEL" = "Linux" ] ; then
 	# shellcheck disable=SC2016
 	CMD='eval uptime ; ps -e | wc -l ; ps -eT | wc -l ; vmstat -s ; `dirname $0`/hardware.sh; sar -B 1 2; sar -I SUM 1 2'
 	if [ ! -f "/etc/os-release" ] ; then
-        DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\  -f1)"
+        DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}')"
     else
-        DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\  -f1)"
+        DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}')"
     fi
 	# shellcheck disable=SC2016
 	PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} NR==3 {threads=$1}'
 	# shellcheck disable=SC2016
 	PARSE_1='/total memory$/ {memTotalMB=$1/1024} /free memory$/ {memFreeMB+=$1/1024} /buffer memory$/ {memFreeMB+=$1/1024} /swap cache$/ {memFreeMB+=$1/1024}'
 	# shellcheck disable=SC2016
-	PARSE_2='/pages paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}'
+	PARSE_2='/(K|pages) paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}'
 	# shellcheck disable=SC2016
 	PARSE_3='/interrupts$/ {interrupts=$1} /CPU context switches$/ {cSwitches=$1} /forks$/ {forks=$1}'
 	# shellcheck disable=SC2016
@@ -136,9 +136,9 @@ elif [ "$KERNEL" = "HP-UX" ] ; then
 elif [ "$KERNEL" = "Darwin" ] ; then
 	assertHaveCommand sysctl
 	assertHaveCommand top
-	assertHaveCommand sar
+	assertHaveCommand vm_stat
 	# shellcheck disable=SC2016
-	CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; sar -gp 1 2'
+	CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; vm_stat | awk "/Pageouts:/{print \"pgpageout \" \$NF}/^Swapouts:/{print \"pgswapout \" \$NF}"; vm_stat -c5 1 | tail -n -4 | awk "{pi=pi+\$19;po=po+\$20;si=si+\$21;so=so+\$22}END{printf \"pginps %.2f pgoutps %.2f swinps %.2f swoups %.2f\n\",pi/4,po/4,si/4,so/4}"'
 	DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\  -f2 | head -n 1)"
     FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}'
 	# shellcheck disable=SC2016
@@ -148,24 +148,19 @@ elif [ "$KERNEL" = "Darwin" ] ; then
 	# shellcheck disable=SC2016
 	PARSE_2='/^vm.swapusage:/ {swapUsed=toMB($7); swapFree=toMB($10)}'
 	# shellcheck disable=SC2016
-	PARSE_3='/^VM:/ {pgPageOut=0+$7}'
-	if $OSX_GE_SNOW_LEOPARD; then
-		# shellcheck disable=SC2016
-		PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-1)}'
-	else
-		# shellcheck disable=SC2016
-		PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-2)}'
-	fi
+	PARSE_3='/^pgpageout / {pgPageOut=0+$2}'
+	# shellcheck disable=SC2016
+	PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-1)}'
 	# shellcheck disable=SC2016
 	PARSE_5='/^Load Avg:/ {loadAvg1mi=0+$3}'
 	# shellcheck disable=SC2016
 	PARSE_6='/^CPU_COUNT/ {cpuCount=$2}'
 	# shellcheck disable=SC2016
-	PARSE_7='($0 ~ "Average" && $1 ~ "pgout*") {next} {pgPageOut_PS=$2}'
+	PARSE_7='$1 == "pginps" {pgPageIn_PS=$2;pgPageOut_PS=$4;pgSwapIn=$6;pgSwapOut=$8}'
 	# shellcheck disable=SC2016
-	PARSE_8='($0 ~ "Average" && $1 ~ "pgin*") {next} {pgPageIn_PS=$2}'
+	PARSE_8='/^pgswapout / {pgSwapOut=0+$2}'
 	MESSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8 $DERIVE"
-	FILL_BLANKS='END {pgSwapOut=cSwitches=interrupts=interrupts_PS=forks="?"}'
+	FILL_BLANKS='END {cSwitches=interrupts=interrupts_PS=forks="0"}'
 elif [ "$KERNEL" = "FreeBSD" ] ; then
 	# shellcheck disable=SC2016
 	CMD='eval sysctl hw.physmem ; vmstat -s ; top -Sb 0; `dirname $0`/hardware.sh'

default/app.conf

@@ -12,19 +12,19 @@ build = 1720176219
 [ui]
 setup_view = ta_nix_configuration
 is_visible = true
-label = Splunk Add-on for Unix and Linux
+label = Technical Add-on for Unix and Linux
 docs_section_override = AddOns:released
 
 [launcher]
-author = Splunk, Inc.
-version = 9.2.0
-description = Splunk Add-on for Unix and Linux
+author = Michael Erdely
+version = 9.2.0.1
+description = Technical Add-on for Unix and Linux
 
 [package]
-id = Splunk_TA_nix
+id = TA-unix
 check_for_updates = true
 
 [id]
-name = Splunk_TA_nix
-version = 9.2.0
+name = TA-unix
+version = 9.2.0.1
 

docs/ReleaseNotes.md

@@ -0,0 +1,18 @@
+# Technical Add-on for Unix and Linux
+
+## Version 9.2.0.1
+
+Initial fork of the Splunk Add-on for Unix and Linux
+
+Changes:
+
+* Use ip command to determine IP address
+  ('hostname -I' does not work on all Linux systems)
+* Filter out multiple listing of the same btrfs volume
+* Use mktemp for temp files (for times when the TA may be run outside of Splunk)
+* If running rlog.sh outside of Splunk, use $HOME to store seek file
+* Debian also uses apt
+* Arch Linux uses pacman
+* Add use of sudo -n for 'apt update' and 'pacman -Syy'
+* vmstat uses "K paged out"
+* Replace the use of 'sar' with netstat and vm_stat for MacOS

splunkbase.manifest

@@ -1,10 +1,11 @@
 {
   "version": "1.0",
   "date": "2024-10-18T12:52:23.073000921Z",
+  "date": "2025-01-08T18:38:19.132050611Z",
   "hashAlgorithm": "SHA-256",
   "app": {
     "id": 833,
-    "version": "9.2.0",
+    "version": "9.2.0.1",
     "files": [
       {
         "path": "LICENSES/Apache-2.0.txt",
@@ -28,11 +29,11 @@
       },
       {
         "path": "VERSION",
-        "hash": "4b083d27782e80fd5bce34252adc7de9e9ab611475e170cb507e49586483025e"
+        "hash": "fd47b230df0f247b21e965b9529efd00447fdbf1cb1740848b529f79a9feacac"
       },
       {
         "path": "app.manifest",
-        "hash": "24b4bb6f47bc1472038f5c983ec91705052162da89555f52a78c9f3c830cfd82"
+        "hash": "251b481753129caea80da188d33f2b99bbd178560e136ee2936b4e9499e1416e"
       },
       {
         "path": "appserver/static/appIcon.png",
@@ -76,19 +77,19 @@
       },
       {
         "path": "bin/cpu_metric.sh",
-        "hash": "2d175a98ded5f141b20fd3b3847217447b5489b4d989512d8b8679a4f2777a0b"
+        "hash": "c5e937d91afab8ec06376a0db3c79f37e0da6377ea2b34cfde67793d89fd14d5"
       },
       {
         "path": "bin/df.sh",
-        "hash": "27b0ad779340e6bd8a26e296ce9b0b9cd2721eaadcf4669e5579560a676c9db7"
+        "hash": "15c4e33987209afe1cb807af7aecfbd522107746d318827d161d1ee233d00acf"
       },
       {
         "path": "bin/df_metric.sh",
-        "hash": "4457b92d8d8ee24441eb38df2134113f5a821111b7c3573b48313adcee39d3e8"
+        "hash": "286830c6b30cc9a3e5240e3b63db0edd2c68c9e797d452483dea09b4ad6f48e9"
       },
       {
         "path": "bin/hardware.sh",
-        "hash": "20e341826d21047e9cc3b7cd632422f6b9a0364282333616c1f912b4dddb7093"
+        "hash": "7722f446226609784d219cb525eee3ed65d622ce05122301f65625c6fd2e4434"
       },
       {
         "path": "bin/interfaces.sh",
@@ -96,7 +97,7 @@
       },
       {
         "path": "bin/interfaces_metric.sh",
-        "hash": "9458deb6ba4c56a22264df75d42945e170f6f1a729d93220617c85810733ef19"
+        "hash": "374e24c7e87669fbd25ded5e56c05fd057c0c272e03e0df6cabcd5db31267db9"
       },
       {
         "path": "bin/iostat.sh",
@@ -104,7 +105,7 @@
       },
       {
         "path": "bin/iostat_metric.sh",
-        "hash": "4af68e89e6a93fa34ccd724ff78a509b7868bc06e60a4f16a6aa24d300d8efc8"
+        "hash": "59b775cc60e92950605b621989ee17aa947adc07d407c78b657ecedf90452f77"
       },
       {
         "path": "bin/lastlog.sh",
@@ -148,15 +149,15 @@
       },
       {
         "path": "bin/ps_metric.sh",
-        "hash": "0c3dc356f47728b9b99be79fffe40256eded1644f599b1bbe8b1a9e8db05b10d"
+        "hash": "ff65aec6a98560667d08e1b75f4661d99b5255be239756f89cc72a58d1e44fe2"
       },
       {
         "path": "bin/rlog.sh",
-        "hash": "271fcaf091527670df3e794c29d7bf57d1371909c72c25d56c79dd136b029513"
+        "hash": "96d0cc8f2c0beec46bca37d7ddf73c122f76525b7363d9a2fec92125abab83a2"
       },
       {
         "path": "bin/selinuxChecker.sh",
-        "hash": "07135df789924f8d4f5ae8228ccbfe0a5e47756de202fcf00a019a12712d8312"
+        "hash": "409ad1927603069c7b08e09e60f2edf1c7e50f02eb6a64c7a514693131dc82e6"
       },
       {
         "path": "bin/service.sh",
@@ -184,7 +185,7 @@
       },
       {
         "path": "bin/update.sh",
-        "hash": "048f6e678f873d2b856ec851c52389d9f8d5ccde0fee0ead0dcf5348cc3cb587"
+        "hash": "2cce5510b8cf94e3c32681c934985a01164e2b63b64d458de9a7dc0ff81bc679"
       },
       {
         "path": "bin/uptime.sh",
@@ -200,11 +201,11 @@
       },
       {
         "path": "bin/vmstat.sh",
-        "hash": "b816aa5e67ad18b995eb577e16ca7c91ae3ecdeeb019d0b79321ade83a90daef"
+        "hash": "9ce5a407629d5d47c2c3f8b1d046f712d24a232950c54d450ddbc21bd34aea84"
       },
       {
         "path": "bin/vmstat_metric.sh",
-        "hash": "47df351e2afd7abedb49f8d38f5350ce6276fdb512005ba56e7ff9692f581515"
+        "hash": "85c516f1d73b9cb45e3b16819fada786753fa417f2fbded1955ccace62de41f8"
       },
       {
         "path": "bin/vsftpdChecker.sh",
@@ -216,7 +217,7 @@
       },
       {
         "path": "default/app.conf",
-        "hash": "451c717df6073aabd78b5ba4abb33ac71b6d61df8d46a243913b01ed9ac77040"
+        "hash": "e5c48e804d836b03361fea96c1e78f265116f5117a739f4dad9bc1916ad873f8"
       },
       {
         "path": "default/data/ui/nav/default.xml",
@@ -320,7 +321,8 @@
         "9.0",
         "9.1",
         "9.2",
-        "9.3"
+        "9.3",
+        "9.4"
       ],
       "architectures": [
         "x86_64"
@@ -356,4 +358,4 @@
       ]
     }
   ]
-}
+}