mike/TA-unix
1
0
Fork 0
Code Issues Pull requests Projects Releases 15 Packages Wiki Activity Actions

Compare commits

base: mike:main
Branches Tags
mike:main
mike:splunk_10_0_0
mike:splunk_9_2_0
mike:10.0.0.1
mike:10.0.0.0
mike:10.0.0
mike:9.2.0.13
mike:9.2.0.12
mike:9.2.0.11
mike:9.2.0.10
mike:9.2.0.9
mike:9.2.0.8
mike:9.2.0.7
mike:9.2.0.6
mike:9.2.0.5
mike:9.2.0.4
mike:9.2.0.3
mike:9.2.0.2
mike:9.2.0.1
mike:9.2.0
..
compare: mike:splunk_10_0_0
Branches Tags
mike:main
mike:splunk_10_0_0
mike:splunk_9_2_0
mike:10.0.0.1
mike:10.0.0.0
mike:10.0.0
mike:9.2.0.13
mike:9.2.0.12
mike:9.2.0.11
mike:9.2.0.10
mike:9.2.0.9
mike:9.2.0.8
mike:9.2.0.7
mike:9.2.0.6
mike:9.2.0.5
mike:9.2.0.4
mike:9.2.0.3
mike:9.2.0.2
mike:9.2.0.1
mike:9.2.0

1 commit
main ... splunk_10_

Author SHA1 Message Date
Michael Erdely
62dcce2292
Import Splunk Add-On for Unix and Linux version 10.0.0 2025-02-05 17:17:23 -05:00
53 changed files with 624 additions and 1140 deletions
Download patch file Download diff file Expand all files Collapse all files

23
Makefile
View file

@ -1,23 +0,0 @@
TEMP_DIR := $(shell mktemp -d)
WORK_DIR := $(TEMP_DIR)/TA-unix
VERSION := $(shell head -n1 VERSION)
TAR_FILE := ./ta-for-unix-and-linux-$(VERSION).tgz
all: release
updateversion:
ifndef NEW
$(error NEW is not specified. Usage make NEW=<newversion> updateversion)
endif
sed -ri "s/$(VERSION)/$(NEW)/g" app.manifest default/app.conf VERSION
release:
mkdir -p $(WORK_DIR)
cp -R . $(WORK_DIR)/
rm -Rf $(WORK_DIR)/Makefile $(WORK_DIR)/.git $(WORK_DIR)/local $(WORK_DIR)/bin/__pycache__ $(WORK_DIR)/ta-for-unix-and-linux-*.tgz
tar -C $(TEMP_DIR) -czf $(TAR_FILE) TA-unix
test -d $(HOME)/Downloads && cp $(TAR_FILE) $(HOME)/Downloads
rm -Rf $(TEMP_DIR)
clean:
rm -Rf ./ta-for-unix-and-linux-*.tgz $(TEMP_DIR)

8
README.txt
View file

@ -1,8 +1,4 @@
Technical Add-on for Unix and Linux
Copyright (C) 2025 Michael Erdely All Rights Reserved.
Splunk Add-on for Unix and Linux
Copyright (C) 2024 Splunk Inc. All Rights Reserved.
For documentation, see: https://git.erdelynet.com/mike/TA-unix/src/branch/main/docs/ReleaseNotes.md
For documentation on Splunk's Add-on for Unix and Linux (which applies to this TA too), see:
https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/
For documentation, see: https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/

4
VERSION
View file

@ -1,2 +1,2 @@
10.0.0.1
10.0.0.1
10.0.0
10.0.0

16
app.manifest
View file

@ -4,9 +4,9 @@
"info": {
"author": [
{
"name": "Michael Erdely",
"email": mike@erdelynet.com,
"company": "erdelynet.com"
"name": "Splunk, Inc.",
"email": null,
"company": null
}
],
"classification": {
@ -25,11 +25,11 @@
"Network Sessions": "==6.0.2",
"Performance": "==4.20.2"
},
"description": "Technical Add-on for Unix and Linux",
"description": "Splunk Add-on for Unix and Linux",
"id": {
"group": null,
"name": "TA-unix",
"version": "10.0.0.1"
"name": "Splunk_TA_nix",
"version": "10.0.0"
},
"license": {
"name": "Splunk Software License Agreement",
@ -45,9 +45,9 @@
"releaseNotes": {
"name": "README",
"text": "./README.txt",
"uri": "https://git.erdelynet.com/mike/TA-unix/docs/ReleaseNotes.md"
"uri": "https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Releasenotes"
},
"title": "Technical Add-on for Unix and Linux"
"title": "Splunk Add-on for Unix and Linux"
},
"inputGroups": null,
"platformRequirements": null,

2
appserver/static/components/js_sdk_extensions/scripted_inputs.js
View file

@ -25,7 +25,7 @@ define([
root.ScriptedInput = root.Entity.extend({
path: function () {
// Approximate path - accepts reads only
// ex: data/inputs/script/%2FApplications%2Fsplunk_622light_unix%2Fetc%2Fapps%2FTA-unix%2Fbin%2Fcpu.sh
// ex: data/inputs/script/%2FApplications%2Fsplunk_622light_unix%2Fetc%2Fapps%2FSplunk_TA_nix%2Fbin%2Fcpu.sh
return Paths.monitorInputs + '/' + encodeURIComponent(this.name)
},

16
appserver/static/setup.js
View file

@ -9,8 +9,8 @@ require([
'splunkjs/mvc/simplexml/ready!',
'underscore',
'jquery',
'../app/TA-unix/components/js_sdk_extensions/scripted_inputs',
'../app/TA-unix/components/js_sdk_extensions/monitor_inputs'
'../app/Splunk_TA_nix/components/js_sdk_extensions/scripted_inputs',
'../app/Splunk_TA_nix/components/js_sdk_extensions/monitor_inputs'
], function (mvc, ignored, _, $, sdkx_scripted_inputs, sdkx_monitor_inputs) {
var ScriptedInputs = sdkx_scripted_inputs.ScriptedInputs
var MonitorInputs = sdkx_monitor_inputs.MonitorInputs
@ -66,11 +66,11 @@ require([
var monitorInputs = {}
new MonitorInputs(service, {
owner: '-',
app: 'TA-unix',
app: 'Splunk_TA_nix',
sharing: 'app'
}).fetch(function (err, inputs) {
var inputsList = _.filter(inputs.list(), function (input) {
return input.namespace.app === 'TA-unix'
return input.namespace.app === 'Splunk_TA_nix'
})
_.each(inputsList, function (input) {
@ -93,7 +93,7 @@ require([
var scriptedMetricInputs = {}
new ScriptedInputs(service, {
owner: '-',
app: 'TA-unix',
app: 'Splunk_TA_nix',
sharing: 'app'
}).fetch(function (err, inputs) {
var inputsList = _.filter(inputs.list(), function (input) {
@ -101,7 +101,7 @@ require([
.substring(input.name.lastIndexOf('/') + 1)
.split('_')
return (
input.namespace.app === 'TA-unix' &&
input.namespace.app === 'Splunk_TA_nix' &&
input_name[input_name.length - 1] === 'metric.sh'
)
})
@ -129,7 +129,7 @@ require([
var scriptedEventInputs = {}
new ScriptedInputs(service, {
owner: '-',
app: 'TA-unix',
app: 'Splunk_TA_nix',
sharing: 'app'
}).fetch(function (err, inputs) {
var inputsList = _.filter(inputs.list(), function (input) {
@ -137,7 +137,7 @@ require([
.substring(input.name.lastIndexOf('/') + 1)
.split('_')
return (
input.namespace.app === 'TA-unix' &&
input.namespace.app === 'Splunk_TA_nix' &&
input_name[input_name.length - 1] !== 'metric.sh'
)
})

15
bin/bandwidth.sh
View file

@ -1,5 +1,4 @@
#!/bin/sh
# Copyright (C) 2025 Michael Erdely All Rights Reserved.
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
@ -7,8 +6,6 @@
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
assertHaveCommand column
HEADER='Name rxPackets_PS txPackets_PS rxKB_PS txKB_PS'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%s %s %s %s %s\n", Name, rxPackets_PS, txPackets_PS, rxKB_PS, txKB_PS}'
@ -69,11 +66,11 @@ elif [ "$KERNEL" = "AIX" ] ; then
# shellcheck disable=SC2016
FORMAT='{Name=$1; rxPackets_PS=$5; txPackets_PS=$7; rxKB_PS="?"; txKB_PS="?"}'
elif [ "$KERNEL" = "Darwin" ] ; then
CMD='eval ifconfig -a -u | awk "/^[^ \t]/{i=substr(\$1,1,length(\$1)-1)}/status: active/{print i}" | while read -r int; do netstat -bnI $int -w 1 | head -n3 | sed "s/^/$int/"; done'
CMD='sar -n DEV 1 2'
# shellcheck disable=SC2016
FILTER='$2~/^(input|packets)$/{next}'
FILTER='($0 !~ "Average" || $0 ~ "sar" || $2~/lo[0-9]|IFACE/) {next}'
# shellcheck disable=SC2016
FORMAT='{Name=$1; rxPackets_PS=$2; txPackets_PS=$5; rxKB_PS=$4/1024; txKB_PS=$7/1024}'
FORMAT='{Name=$2; rxPackets_PS=$3; txPackets_PS=$5; rxKB_PS=$4/1024; txKB_PS=$6/1024}'
elif [ "$KERNEL" = "HP-UX" ] ; then
# Sample output: http://h20565.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c02263324
CMD='netstat -i 1 2'
@ -81,10 +78,6 @@ elif [ "$KERNEL" = "HP-UX" ] ; then
FILTER='($0 ~ "Name|sar| lo") {next}'
# shellcheck disable=SC2016
FORMAT='{Name=$1; rxPackets_PS=$5; txPackets_PS=$7; rxKB_PS=?; txKB_PS=?}'
elif [ "$KERNEL" = "OpenBSD" ] ; then
CMD='eval ifconfig -a | awk "/UP/ && /RUNNING/ && \$1 != \"lo0:\" {print substr(\$1, 1, length(\$1) - 1)}" | while read -r int; do echo $int $(netstat -bnI $int -w 1 | head -n4 | tail -n1) $(netstat -nI $int -w 1 | head -n 4 | tail -n1 ); done'
# shellcheck disable=SC2016
FORMAT='{Name=$1; rxPackets_PS=$6; txPackets_PS=$8; rxKB_PS=$2/1024; txKB_PS=$2/1024}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
CMD='sar -n DEV 1 2'
# shellcheck disable=SC2016
@ -94,6 +87,6 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then
fi
assertHaveCommand "$CMD"
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF" header="$HEADER" | column -t
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"
# jscpd:ignore-end

3
bin/common.sh
View file

@ -71,9 +71,6 @@ case "x$KERNEL" in
;;
"xFreeBSD")
;;
"xOpenBSD")
AWK=gawk
;;
"xAIX")
;;
"xHP-UX")

30
bin/cpu.sh
View file

@ -5,8 +5,6 @@
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
assertHaveCommand column
HEADER='Datetime CPU pctUser pctNice pctSystem pctIowait pctIdle'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-28s %-3s %9s %9s %9s %9s %9s\n", datetime, cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle}'
@ -38,7 +36,7 @@ if [ "$KERNEL" = "Linux" ] ; then
printf "%-28s %-3s %9s %9s %9s %9s %9s\n", datetime, cpu, pctUser, pctNice, pctSystem, pctIowait, pctIdle;
}
}'
$CMD | tee "$TEE_DEST" | $AWK "$FILTER $FORMAT $PRINTF" header="$HEADER" | column -t
$CMD | tee "$TEE_DEST" | $AWK "$FILTER $FORMAT $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"
exit
elif [ "$KERNEL" = "SunOS" ] ; then
@ -161,7 +159,7 @@ elif [ "$KERNEL" = "AIX" ] ; then
print "";
}'
fi
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$FORMAT" | column -t
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$FORMAT"
echo "Cmd = [$CMD]; | $AWK $DEFINE '$FORMAT'" >> "$TEE_DEST"
exit
elif [ "$KERNEL" = "Darwin" ] ; then
@ -200,29 +198,9 @@ elif [ "$KERNEL" = "Darwin" ] ; then
printf "%-28s %-3s %9s %9s %9s \n", datetime, cpu, pctUser, pctSystem, pctIdle;
}'
$CMD | tee "$TEE_DEST" | $AWK "$FILTER $FORMAT $PRINTF" header="$HEADER" | column -t
$CMD | tee "$TEE_DEST" | $AWK "$FILTER $FORMAT $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"
exit
elif [ "$KERNEL" = "OpenBSD" ] ; then
formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z")
CMD='eval top -1 -b; top -b'
assertHaveCommand "$CMD"
# shellcheck disable=SC2016
FILTER='($0 !~ "^([0-9]+[\t ]+)?CPU"){next;}'
# shellcheck disable=SC2016
FORMAT='{
if ($1 ~ /^[0-9]+$/)
cpu="all";
else if ($1 ~ /^CPU[0-9]+$/)
cpu=substr($1,4);
else cpu=0;
datetime="'"$formatted_date"'";
pctUser=substr($3,1,length($3)-1);
pctNice=substr($5,1,length($5)-1);
pctSystem=substr($7,1,length($7)-1);
pctIowait=substr($11,1,length($11)-1);
pctIdle=substr($13,1,length($13)-1);
}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z")
CMD='eval top -P -d2 c; top -d2 c'
@ -253,5 +231,5 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then
}'
fi
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF" header="$HEADER" | column -t
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILTER $FORMAT $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

33
bin/cpu_metric.sh
View file

@ -1,13 +1,10 @@
#!/bin/sh
# Copyright (C) 2025 Michael Erdely All Rights Reserved.
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
assertHaveCommand column
HEADER='Datetime pctUser pctNice pctSystem pctIowait pctIdle OSName OS_version IP_address CPU'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-28s %9s %9s %9s %9s %9s %-35s %15s %-16s %-3s\n", datetime, pctUser, pctNice, pctSystem, pctIowait, pctIdle, OSName, OS_version, IP_address,cpu}'
@ -19,9 +16,9 @@ if [ "$KERNEL" = "Linux" ] ; then
queryHaveCommand mpstat
FOUND_MPSTAT=$?
if [ ! -f "/etc/os-release" ] ; then
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}')"
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1)"
else
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}')"
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1)"
fi
if [ $FOUND_SAR -eq 0 ] ; then
CMD='sar -P ALL 2 5'
@ -154,7 +151,7 @@ elif [ "$KERNEL" = "AIX" ] ; then
print "";
}'
fi
$CMD | tee "$TEE_DEST" | $AWK $DEFINE $DEFINE_LPARSTAT_FIELDS "$FORMAT $FILL_DIMENSIONS" | column -t
$CMD | tee "$TEE_DEST" | $AWK $DEFINE $DEFINE_LPARSTAT_FIELDS "$FORMAT $FILL_DIMENSIONS"
echo "Cmd = [$CMD]; | $AWK $DEFINE $DEFINE_LPARSTAT_FIELDS '$FORMAT $FILL_DIMENSIONS'" >>"$TEE_DEST"
exit
elif [ "$KERNEL" = "Darwin" ] ; then
@ -193,28 +190,6 @@ elif [ "$KERNEL" = "Darwin" ] ; then
OS_version=OS_version;
IP_address=IP_address;
}'
elif [ "$KERNEL" = "OpenBSD" ] ; then
formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z")
CMD='eval top -1 -b; top -b'
assertHaveCommand "$CMD"
# shellcheck disable=SC2016
FILTER='($0 !~ "^([0-9]+[\t ]+)?CPU"){next;}'
# shellcheck disable=SC2016
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
# shellcheck disable=SC2016
FORMAT='{
if ($1 ~ /^[0-9]+$/)
cpu="all";
else if ($1 ~ /^CPU[0-9]+$/)
cpu=substr($1,4);
else cpu=0;
datetime="'"$formatted_date"'";
pctUser=substr($3,1,length($3)-1);
pctNice=substr($5,1,length($5)-1);
pctSystem=substr($7,1,length($7)-1);
pctIowait=substr($11,1,length($11)-1);
pctIdle=substr($13,1,length($13)-1);
}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
formatted_date=$(date +"%m/%d/%y_%H:%M:%S_%Z")
CMD='eval top -P -d2 c; top -d2 c'
@ -250,5 +225,5 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then
}'
fi
# shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$HEADERIZE $FILTER $FORMAT $FILL_DIMENSIONS $PRINTF" header="$HEADER" | column -t
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$HEADERIZE $FILTER $FORMAT $FILL_DIMENSIONS $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK $DEFINE '$HEADERIZE $FILTER $FORMAT $FILL_DIMENSIONS $PRINTF' header=\"$HEADER\"" >>"$TEE_DEST"

68
bin/df.sh
View file

@ -1,13 +1,10 @@
#!/bin/sh
# Copyright (C) 2025 Michael Erdely All Rights Reserved.
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
assertHaveCommand column
# jscpd:ignore-start
if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand df
@ -15,9 +12,7 @@ if [ "$KERNEL" = "Linux" ] ; then
# shellcheck disable=SC2016
BEGIN='BEGIN { OFS = "\t" }'
# shellcheck disable=SC2016
FILTER_PRE='$2=="btrfs"&&btrfs[$1]==1{next}$2=="btrfs"{btrfs[$1]=1}'
# shellcheck disable=SC2016
FILTER_POST='/(devtmpfs|tmpfs|efivars)/ {next}'
FILTER_POST='/(devtmpfs|tmpfs)/ {next}'
# shellcheck disable=SC2016
PRINTF='
{
@ -221,41 +216,48 @@ elif [ "$KERNEL" = "Darwin" ] ; then
MAP_FS_TO_TYPE='/ on / {
for(i=1;i<=NF;i++){
if($i=="on" && $(i+1) ~ /^\/.*/)
{
key=$(i+1);
}
if($i ~ /^\(/)
value=substr($i,2,length($i)-2);
}
fsTypes[key]=value;
}'
PRINTF='/^Filesystem/ {
printf "Filesystem\tType\tSize\tUsed\tAvail\tUse%%\tInodes\tIUsed\tIFree\tIUse%%\tMountedOn\n";
}
$0 !~ /^Filesystem/ && $0 !~ / on / {
printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, fsTypes[$NF], $2, $3, $4, $5, $6+$7, $6, $7, $8, $9;
}'
elif [ "$KERNEL" = "OpenBSD" ] ; then
assertHaveCommand mount
assertHaveCommand df
CMD='eval mount -t nodevfs,nonfs,noswap,nocd9660; df -ih -t nodevfs,nonfs,noswap,nocd9660'
# shellcheck disable=SC2016
BEGIN='BEGIN { OFS = "\t" }'
#Maps fsType
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='/ on / {
for (i = 1; i <= NF; i++){
if ($i == "on" && $(i + 1) ~ /^\/.*/)
key = $(i + 1);
}
fsTypes[key] = $5;
}'
# Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
# shellcheck disable=SC2016
PRINTF='/^Filesystem/ {
print "Filesystem\tType\tSize\tUsed\tAvail\tUse%\tInodes\tIUsed\tIFree\tIUse%\tMountedOn";
PRINTF='
{
if($0 ~ /^Filesystem.*/){
sub("%iused","IUsePct",$0);
for(i=1;i<=NF;i++){
if($i=="iused") iusedCol=i;
if($i=="ifree") ifreeCol=i;
if($i=="Mounted" && $(i+1)=="on"){
mountedCol=i;
sub("Mounted on","MountedOn",$0);
}
}
$(NF+1)="Type";
$(NF+1)="INodes";
print $0;
}
}
{
for(i=1;i<=NF;i++)
{
if($i ~ /^\/dev\/.*s[0-9]+$/){
sub("^/dev/", "", $i);
sub("s[0-9]+$", "", $i);
}
if($i ~ /^\/\S*/ && i==mountedCol){
$(NF+1)=fsTypes[$mountedCol];
$(NF+1)=$iusedCol+$ifreeCol;
print $0;
}
}
$0 !~ /^Filesystem/ && $0 !~ / on / {
printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, fsTypes[$NF], $2, $3, $4, $5, $6+$7, $6, $7, $8, $9;
}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
@ -312,5 +314,5 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then
fi
# jscpd:ignore-end
$CMD | tee "$TEE_DEST" | $AWK "$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $PRINTF" header="$HEADER" | column -t
$CMD | tee "$TEE_DEST" | $AWK "$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

92
bin/df_metric.sh
View file

@ -1,13 +1,10 @@
#!/bin/sh
# Copyright (C) 2025 Michael Erdely All Rights Reserved.
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
assertHaveCommand column
# shellcheck disable=SC2016
FILL_DIMENSIONS='{length(IP_address) || IP_address = "?";length(OS_version) || OS_version = "?";length(OSName) || OSName = "?";length(IPv6_Address) || IPv6_Address = "?"}'
@ -16,16 +13,14 @@ if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand df
CMD='df -k --output=source,fstype,size,used,avail,pcent,itotal,iused,iavail,ipcent,target'
if [ ! -f "/etc/os-release" ] ; then
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
else
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
fi
BEGIN='BEGIN { OFS = "\t" }'
FORMAT='{OSName=OSName;OS_version=OS_version;IP_address=IP_address;IPv6_Address=IPv6_Address}'
# shellcheck disable=SC2016
FILTER_PRE='$2=="btrfs"&&btrfs[$1]==1{next}$2=="btrfs"{btrfs[$1]=1}'
# shellcheck disable=SC2016
FILTER_POST='/(devtmpfs|tmpfs|efivars)/ {next}'
FILTER_POST='/(devtmpfs|tmpfs)/ {next}'
# shellcheck disable=SC2016
PRINTF='
function rem_pcent(val)
@ -41,12 +36,13 @@ if [ "$KERNEL" = "Linux" ] ; then
$(NF+1)="IP_address";
$(NF+1)="IPv6_Address";
print $0;
} else {
if ($10 == "-") $10 = "0%";
printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, $2, $3, $4, $5, rem_pcent($6), $7, $8, $9, rem_pcent($10), $11, OSName, OS_version, IP_address, IPv6_Address;
}
match($0,/^(.*[^ ]) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+) +([^ ]+%|-) +(.*)$/,a);
if (length(a) != 0)
{ printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", a[1], a[2], a[3], a[4], a[5], rem_pcent(a[6]), a[7], a[8], a[9], rem_pcent(a[10]), a[11], OSName, OS_version, IP_address, IPv6_Address}
}'
elif [ "$KERNEL" = "SunOS" ] ; then
@ -239,7 +235,9 @@ elif [ "$KERNEL" = "Darwin" ] ; then
MAP_FS_TO_TYPE='/ on / {
for(i=1;i<=NF;i++){
if($i=="on" && $(i+1) ~ /^\/.*/)
{
key=$(i+1);
}
if($i ~ /^\(/)
value=substr($i,2,length($i)-2);
}
@ -247,37 +245,51 @@ elif [ "$KERNEL" = "Darwin" ] ; then
}'
# Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
# shellcheck disable=SC2016
PRINTF='/^Filesystem/ {
printf "Filesystem\tType\t1K-blocks\tUsed\tAvail\tUse%%\tInodes\tIUsed\tIFree\tIUse%%\tMountedOn\tOSName\tOS_version\tIP_address\tIPv6_Address\n";
}
$0 !~ /^Filesystem/ && $0 !~ / on / {
printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, fsTypes[$NF], $2, $3, $4, substr($5, 1, length($5) - 1), $6+$7, $6, $7, substr($8, 1, length($8) - 1), $9, OSName, OS_version, IP_address, IPv6_Address;
}'
PRINTF='
{
if($0 ~ /^Filesystem.*/){
sub("%iused","IUsePct",$0);
elif [ "$KERNEL" = "OpenBSD" ] ; then
assertHaveCommand mount
assertHaveCommand df
CMD='eval mount -t nodevfs,nonfs,noswap,nocd9660; df -ih -t nodevfs,nonfs,noswap,nocd9660'
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
# shellcheck disable=SC2016
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
BEGIN='BEGIN { OFS = "\t" }'
#Maps fsType
# shellcheck disable=SC2016
MAP_FS_TO_TYPE='/ on / {
for(i=1;i<=NF;i++){
if ($i == "on" && $(i + 1) ~ /^\/.*/)
key = $(i + 1);
if($i=="iused") iusedCol=i;
if($i=="ifree") ifreeCol=i;
if($i=="Mounted" && $(i+1)=="on"){
mountedCol=i;
sub("Mounted on","MountedOn",$0);
}
}
$(NF+1)="Type";
$(NF+1)="INodes";
$(NF+1)="OSName";
$(NF+1)="OS_version";
$(NF+1)="IP_address";
$(NF+1)="IPv6_Address";
print $0;
}
}
{
for(i=1;i<=NF;i++)
{
if($i ~ /.*\%$/)
$i=substr($i, 1, length($i)-1);
if($i ~ /^\/dev\/.*s[0-9]+$/){
sub("^/dev/", "", $i);
sub("s[0-9]+$", "", $i);
}
if($i ~ /^\/\S*/ && i==mountedCol){
$(NF+1)=fsTypes[$mountedCol];
$(NF+1)=$iusedCol+$ifreeCol;
$(NF+1)=OSName;
$(NF+1)=OS_version;
$(NF+1)=IP_address;
$(NF+1)=IPv6_Address;
print $0;
}
fsTypes[key] = $5;
}'
# Append Type and Inode headers to the main header and print respective fields from values stored in MAP_FS_TO_TYPE variables
# shellcheck disable=SC2016
PRINTF='/^Filesystem/ {
printf "Filesystem\tType\t1K-blocks\tUsed\tAvail\tUse%%\tInodes\tIUsed\tIFree\tIUse%%\tMountedOn\tOSName\tOS_version\tIP_address\tIPv6_Address\n";
}
$0 !~ /^Filesystem/ && $0 !~ / on / {
printf "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", $1, fsTypes[$NF], $2, $3, $4, substr($5, 1, length($5) - 1), $6+$7, $6, $7, substr($8, 1, length($8) - 1), $9, OSName, OS_version, IP_address, IPv6_Address;
}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
@ -348,5 +360,5 @@ fi
# jscpd:ignore-end
# shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $FILL_DIMENSIONS $PRINTF" header="$HEADER" | column -t
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $FILL_DIMENSIONS $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK $DEFINE '$BEGIN $HEADERIZE $FILTER_PRE $MAP_FS_TO_TYPE $FORMAT $FILTER_POST $NORMALIZE $FILL_DIMENSIONS $PRINTF' header=\"$HEADER\"" >>"$TEE_DEST"

116
bin/docker.sh
View file

@ -1,116 +0,0 @@
#!/bin/bash
# SPDX-FileCopyrightText: 2022 Michael Erdely <mike@erdelynet.com>
# SPDX-License-Identifier: MIT
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
assertHaveCommand docker
assertHaveCommand bc
assertHaveCommand ip
assertHaveCommand awk
declare -A pids
declare -A time_start
declare -A cpu_start
declare -A rx_start
declare -A tx_start
declare -A br_start
declare -A bw_start
[[ $0 =~ .*_metric.sh ]] && mode=metric
# Either add the splunk user to the docker group or add the following to /etc/sudoers:
# splunk ALL=(root) NOPASSWD: /usr/bin/docker stats --no-stream --no-trunc --all
# splunk ALL=(root) NOPASSWD: /usr/bin/docker ps --all --no-trunc --format *
# splunk ALL=(root) NOPASSWD: /usr/bin/docker inspect -f *
docker_cmd=docker
if [ $(id -u) != 0 ]; then
! groups | grep -q "\bdocker\b" && docker_cmd="sudo -n $docker_cmd"
fi
docker_list=$($docker_cmd ps --all --no-trunc --format '{{ .ID }}')
header_string="ContainerId Name CPUPct MemUsage MemTotal MemPct NetRX RXps NetTX TXps BlockRead BRps BlockWrite BWps Pids"
metric_string=""
header_format="%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n"
string_format="%s\t%s\t%s\t%.2f\t%s\t%s\t%.2f\t%s\t%.2f\t%s\t%.2f\t%s\t%.2f\t%s\t%.2f\t%s\n"
json_format='{ "time": "%s", "ContainerId": "%s", "Name": "%s", "CPUPct": %.2f, "MemUsage": %s, "MemTotal": %s, "MemPct": %.2f, "NetRX": %s, "RXps": %.2f, "NetTX": %s, "TXps": %.2f, "BlockRead": %s, "BRps": %.2f, "BlockWrite": %s, "BWps": %.2f, "Pids": %s }\n'
if [ "$mode" = "metric" ]; then
metric_name=docker_metric
if [ ! -f "/etc/os-release" ] ; then
OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_')
OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1)
IP_address=$(ip addr show dev $(ip route show | awk 'BEGIN{m=1000}$1=="default"$0!~/ metric /{print $5;exit}$1=="default"{if($NF<m){m=$NF;i=$5}}END{print i}') | awk '$1=="inet"{print gensub(/\/[0-9]+/,"","g",$2)}')
else
OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d\= -f2 | tr ' ' '_' | cut -d\" -f2)
OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d\= -f2 | cut -d\" -f2)
IP_address=$(ip addr show dev $(ip route show | awk 'BEGIN{m=1000}$1=="default"$0!~/ metric /{print $5;exit}$1=="default"{if($NF<m){m=$NF;i=$5}}END{print i}') | awk '$1=="inet"{print gensub(/\/[0-9]+/,"","g",$2)}')
fi
[ -z "$OSName" ] && OSName="?"
[ $OSName = Arch_Linux ] && OS_version=rolling
[ -z "$OS_version" ] && OS_version="?"
header_string="$header_string OSName OS_version IP_address"
metric_string=" $OSName $OS_version $IP_address"
header_format="${header_format::-2}\t%s\t%s\t%s\n"
string_format="${string_format::-2}\t%s\t%s\t%s\n"
json_format='{ "time": "%s", "ContainerId": "%s", "Name": "%s", "CPUPct": %.2f, "MemUsage": %.2f, "MemTotal": %.2f, "MemPct": %.2f, "NetRX": %.2f, "RXps": %.2f, "NetTX": %.2f, "TXps": %.2f, "BlockRead": %.2f, "BRps": %.2f, "BlockWrite": %.2f, "BWps": %.2f, "Pids": %s, "OSName": "%s", "OS_version": "%s", "IP_address": "%s", "event": "metric" }\n'
fi
# Currently calculates CPU % over time; not right now
for id in $docker_list; do
[ ! -d /sys/fs/cgroup/system.slice/docker-$id.scope ] && continue
pids[$id]=$($docker_cmd inspect -f '{{ .State.Pid }}' $id)
read time_start[$id] _ < /proc/uptime
read _ cpu_start[$id] < /sys/fs/cgroup/system.slice/docker-$id.scope/cpu.stat
while read _if _rx _ _ _ _ _ _ _ _tx _ _ _ _ _ _ _ ; do
[ -z "$_if" ] && continue
[ -z "$_rx" ] && _rx=0
[ -z "$_tx" ] && _tx=0
if=$_if rx_start[$id]=$_rx tx_start[$id]=$_tx
done < /proc/${pids[$id]}/net/dev
br_start[$id]=0;bw_start[$id]=0
while read _ _br _bw _ _ _ _; do
[ -z "$_br" ] && _br=rbytes=0
[ -z "$_bw" ] && _bw=wbytes=0
br_start[$id]=$((${br_start[$id]}+${_br:7}))
bw_start[$id]=$((${bw_start[$id]}+${_bw:7}))
done < /sys/fs/cgroup/system.slice/docker-$id.scope/io.stat
done
sleep 2 # Sleep 2 seconds to give the script time to get CPU stats
MemTotal=$(awk '$1=="MemTotal:" {print $2*1024}' /proc/meminfo)
#printf "$header_format" $header_string
for id in $docker_list; do
name=$($docker_cmd inspect -f '{{ .Name }}' $id)
if [ ! -d /sys/fs/cgroup/system.slice/docker-$id.scope ]; then
printf "$json_format" $id ${name:1} 0 0 0 0 0 0 0 0 0 0 0 0 0$metric_string
continue
fi
read cpu_stop _ < /proc/uptime
read _ proc_stop < /sys/fs/cgroup/system.slice/docker-$id.scope/cpu.stat
while read _if _rx _ _ _ _ _ _ _ _tx _ _ _ _ _ _ _ ; do
[ -z "$_if" ] && continue
[ -z "$_rx" ] && _rx=0
[ -z "$_tx" ] && _tx=0
if=$_if NetRX=$_rx NetTX=$_tx
done < /proc/${pids[$id]}/net/dev
BlockRead=0;BlockWrite=0
while read _ _br _bw _ _ _ _; do
[ -z "$_br" ] && _br=rbytes=0
[ -z "$_bw" ] && _bw=wbytes=0
BlockRead=$((BlockRead+${_br:7}))
BlockWrite=$((BlockWrite+${_bw:7}))
done < /sys/fs/cgroup/system.slice/docker-$id.scope/io.stat
read MemUsage < /sys/fs/cgroup/system.slice/docker-$id.scope/memory.current
read Pids < /sys/fs/cgroup/system.slice/docker-$id.scope/pids.current
read _ CPU < /sys/fs/cgroup/cpu.stat
CpuUsage=$(echo "($proc_stop - ${cpu_start[$id]}) / ($cpu_stop * 1000000 - ${time_start[$id]} * 1000000) * 100" | bc -l)
RXps=$(echo "($NetRX - ${rx_start[$id]}) / ($cpu_stop * 1000000 - ${time_start[$id]} * 1000000) * 100" | bc -l)
TXps=$(echo "($NetTX - ${tx_start[$id]}) / ($cpu_stop * 1000000 - ${time_start[$id]} * 1000000) * 100" | bc -l)
BRps=$(echo "($BlockRead - ${br_start[$id]}) / ($cpu_stop * 1000000 - ${time_start[$id]} * 1000000) * 100" | bc -l)
BWps=$(echo "($BlockWrite - ${bw_start[$id]}) / ($cpu_stop * 1000000 - ${time_start[$id]} * 1000000) * 100" | bc -l)
printf "$json_format" "$(env TZ=UTC date "+%FT%T.%NZ")" $id ${name:1} $CpuUsage $MemUsage $MemTotal $(echo "$MemUsage*100/$MemTotal"|bc -l) $NetRX $RXps $NetTX $TXps $BlockRead $BRps $BlockWrite $BWps $Pids$metric_string
done

1
bin/docker_metric.sh
View file

@ -1 +0,0 @@
docker.sh

33
bin/hardware.sh
View file

@ -1,5 +1,4 @@
#!/bin/sh
# Copyright (C) 2025 Michael Erdely All Rights Reserved.
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
@ -10,14 +9,13 @@ FORMAT='{key = $1; if (NF == 1) {value = "<notAvailable>"} else {value = $2; for
PRINTF='{printf("%-20s %-s\n", key, value)}'
if [ "$KERNEL" = "Linux" ] ; then
TMP_ERROR_FILTER_FILE=$(mktemp) # For filtering out lshw warning from stderr
TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_hardware_error_tmpfile # For filtering out lshw warning from stderr
queryHaveCommand ip
FOUND_IP=$?
# CPUs
CPU_TYPE=$(awk -F: '/model name/ {print $2; exit}' /proc/cpuinfo 2>>"$TEE_DEST")
CPU_CACHE=$(awk -F: '/cache size/ {print $2; exit}' /proc/cpuinfo 2>>"$TEE_DEST")
CPU_COUNT=$(grep -c processor /proc/cpuinfo 2>>"$TEE_DEST")
[ -z "$CPU_TYPE" ] && [ -r /proc/device-tree/compatible ] && CPU_TYPE=$(cat /proc/device-tree/compatible | tr '\0' ',')
# HDs
# shellcheck disable=SC2010
for deviceBasename in $(ls /sys/block | grep -E -v '^(dm|md|ram|sr|loop)')
@ -189,29 +187,6 @@ elif [ "$KERNEL" = "HP-UX" ] ; then
OUTPUT=$(swapinfo -tm)
MEMORY_REAL=$(echo "$OUTPUT" | awk '$1=="memory" {print $2 " MB"; exit}')
MEMORY_SWAP=$(echo "$OUTPUT" | awk '$1=="dev" {print $2 " MB"; exit}')
elif [ "$KERNEL" = "OpenBSD" ] ; then
assertHaveCommand sysctl
assertHaveCommand df
assertHaveCommand ifconfig
assertHaveCommand dmesg
assertHaveCommand top
# CPUs
CPU_TYPE=$(sysctl -n hw.model)
CPU_CACHE=
CPU_COUNT=$(sysctl -n hw.ncpu)
# HDs
HARD_DRIVES=$(df -h | awk '/^\/dev/ {sub("^.*\134/", "", $1); drives[$1] = $2} END {for(d in drives) printf("%s: %s; ", d, drives[d])}')
# NICs
IFACE_NAME=$(ifconfig -a | awk '/^[a-z0-9]+: / {sub(":", "", $1); iface=$1} /media: / {print iface}')
for NIC in $IFACE_NAME; do
NIC=$(echo $NIC | sed -E 's/[0-9]+$//')
NIC_TYPE="$NIC_TYPE,$(whatis $NIC | sed -E 's/^.* - //')"
done
NIC_TYPE=${NIC_TYPE#,}
NIC_COUNT=$(echo $IFACE_NAME | wc -w)
# memory
MEMORY_REAL=$(sysctl -n hw.physmem)
MEMORY_SWAP=$(systat -b swap | gawk '/^DISK/{p=1;next}p==1{swap+=$2}END{print int(swap/2)}')
elif [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand sysctl
assertHaveCommand df
@ -219,9 +194,9 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand dmesg
assertHaveCommand top
# CPUs
CPU_TYPE=$(sysctl -n hw.model)
CPU_TYPE=$(sysctl hw.model | sed 's/^.*: //')
CPU_CACHE=
CPU_COUNT=$(sysctl -n hw.ncpu)
CPU_COUNT=$(sysctl hw.ncpu | sed 's/^.*: //')
# HDs
HARD_DRIVES=$(df -h | awk '/^\/dev/ {sub("^.*\134/", "", $1); drives[$1] = $2} END {for(d in drives) printf("%s: %s; ", d, drives[d])}')
# NICs
@ -229,7 +204,7 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then
NIC_TYPE=$(dmesg | awk '(index($0, iface) && index($0, " port ")) {sub("^.*<", ""); sub(">.*$", ""); print $0}' iface="$IFACE_NAME" | head -1)
NIC_COUNT=$(ifconfig -a | grep -c media)
# memory
MEMORY_REAL=$(sysctl -n hw.physmem)
MEMORY_REAL=$(sysctl hw.physmem | awk '{print $2/(1024*1024) "MB"}')
MEMORY_SWAP=$(top -Sb 0 | awk '/^Swap: / {print $2 "B"}')
fi

60
bin/interfaces.sh
View file

@ -6,17 +6,15 @@
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
#HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors TXbytes TXerrors Speed Duplex'
HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors RXdropped TXbytes TXerrors TXdropped Speed Duplex'
HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors TXbytes TXerrors Speed Duplex'
FORMAT='{mac = length(mac) ? mac : "?"; collisions = length(collisions) ? collisions : "?"; RXbytes = length(RXbytes) ? RXbytes : "?"; RXerrors = length(RXerrors) ? RXerrors : "?"; TXbytes = length(TXbytes) ? TXbytes : "?"; TXerrors = length(TXerrors) ? TXerrors : "?"; speed = length(speed) ? speed : "?"; duplex = length(duplex) ? duplex : "?"}'
#PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-16s %-16s %-12s %-12s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, TXbytes, TXerrors, speed, duplex}'
PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-18s %-16s %-16s %-18s %-12s %-12s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, (RXdropped == "") ? 0 : RXdropped, TXbytes, TXerrors, (TXdropped == "") ? 0 : TXdropped, speed, duplex}'
PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-16s %-16s %-12s %-12s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, TXbytes, TXerrors, speed, duplex}'
if [ "$KERNEL" = "Linux" ] ; then
OS_FILE=/etc/os-release
#HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors RXdropped TXbytes TXerrors TXdropped Speed Duplex'
#PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-18s %-16s %-16s %-18s %-12s %-12s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, RXdropped, TXbytes, TXerrors, TXdropped, speed, duplex}'
HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors RXdropped TXbytes TXerrors TXdropped Speed Duplex'
PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-18s %-16s %-16s %-18s %-12s %-12s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, RXdropped, TXbytes, TXerrors, TXdropped, speed, duplex}'
queryHaveCommand ip
FOUND_IP=$?
if [ $FOUND_IP -eq 0 ]; then
@ -255,7 +253,7 @@ if [ "$KERNEL" = "Linux" ] ; then
out=$($CMD_LIST_INTERFACES)
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
output="$HEADER\n"
echo "$HEADER"
fi
for iface in $out
do
@ -324,13 +322,12 @@ if [ "$KERNEL" = "Linux" ] ; then
GET_MAC='{if ($0 ~ /ether /) { mac = $2; } else if ( NR == 1 ) { mac = $5; }}'
fi
if [ "$DUPLEX" != 'error' ] && [ "$SPEED" != 'error' ]; then
output="$output$($CMD "$iface" | tee -a "$TEE_DEST" | awk "$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF" name="$iface" speed="$SPEED" duplex="$DUPLEX" mac="$MAC")\n"
$CMD "$iface" | tee -a "$TEE_DEST" | awk "$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF" name="$iface" speed="$SPEED" duplex="$DUPLEX" mac="$MAC"
echo "Cmd = [$CMD $iface]; | awk '$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF' name=$iface speed=$SPEED duplex=$DUPLEX mac=$MAC" >> "$TEE_DEST"
else
echo "ERROR: cat command failed for interface $iface" >> "$TEE_DEST"
fi
done
printf "$output" | column -t
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommandGivenPath /usr/sbin/ifconfig
@ -349,7 +346,7 @@ elif [ "$KERNEL" = "SunOS" ] ; then
out=$($CMD_LIST_INTERFACES)
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
output="$HEADER\n"
echo "$HEADER"
fi
for iface in $out
do
@ -361,10 +358,9 @@ elif [ "$KERNEL" = "SunOS" ] ; then
else
CMD_DESCRIBE_INTERFACE="eval kstat -n $iface ; /usr/sbin/ifconfig $iface 2>/dev/null"
fi
output="$output$($CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE")\n"
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | $AWK '$GET_ALL $FORMAT $PRINTF' name=$iface node=$NODE" >> "$TEE_DEST"
done
printf "$output" | column -t
elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommandGivenPath /usr/sbin/ifconfig
assertHaveCommandGivenPath /usr/bin/netstat
@ -382,17 +378,16 @@ elif [ "$KERNEL" = "AIX" ] ; then
out=$($CMD_LIST_INTERFACES)
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
output="$HEADER\n"
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]" >> "$TEE_DEST"
NODE=$(uname -n)
CMD_DESCRIBE_INTERFACE="eval netstat -v $iface ; /usr/sbin/ifconfig $iface"
output="$output$($CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE")\n"
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | $AWK '$GET_ALL $FORMAT $PRINTF' name=$iface node=$NODE" >> "$TEE_DEST"
done
printf "$output"
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand ifconfig
assertHaveCommand netstat
@ -442,16 +437,15 @@ elif [ "$KERNEL" = "Darwin" ] ; then
out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
output="$HEADER\n"
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]; | awk '$CHOOSE_ACTIVE' | $UNIQUE" >> "$TEE_DEST"
CMD_DESCRIBE_INTERFACE="eval ifconfig $iface ; netstat -b -I $iface"
output="$output$($CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk "$GET_ALL $PRINTF" name="$iface")\n"
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk "$GET_ALL $PRINTF" name="$iface"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | awk '$GET_ALL $PRINTF' name=$iface" >> "$TEE_DEST"
done
printf "$output" | column -t
elif [ "$KERNEL" = "HP-UX" ] ; then
assertHaveCommand ifconfig
assertHaveCommand lanadmin
@ -472,30 +466,9 @@ elif [ "$KERNEL" = "HP-UX" ] ; then
out=$($CMD | awk "$LANSCAN_AWK $GET_IP4 $GET_IP6 $GET_SPEED_DUPLEX $PRINTF $FILL_BLANKS")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
printf "$HEADER\n$out\n"
echo "$HEADER"
echo "$out"
fi
elif [ "$KERNEL" = "OpenBSD" ] ; then
assertHaveCommand ifconfig
assertHaveCommand netstat
CMD_LIST_INTERFACES='ifconfig -a'
# shellcheck disable=SC2016
CHOOSE_ACTIVE='/^[a-z0-9]+: / {sub(":", "", $1); iface=$1} /media: / {print iface}'
UNIQUE='sort -u'
# shellcheck disable=SC2016
GET_MAC='{$1 == "lladdr" && mac = $2}'
# shellcheck disable=SC2016
GET_IP='/ (netmask|prefixlen) / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}'
out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
output="$HEADER\n"
fi
for iface in $out
do
output="$output$iface $(ifconfig $iface | awk "$GET_MAC $GET_IP END {printf \"%s %s %s\", mac, IPv4, IPv6}") $(echo $(netstat -bnI $iface -w1 | head -n4 | tail -n1) $(netstat -neI $iface -w1 | head -n4 | tail -n1) | awk "{printf \"%s %s %s %s %s %s %s\", \$9, \$1, 0, \$6, \$2, \$8, 0}") auto auto\n"
done
printf "$output" | column -t
elif [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand ifconfig
assertHaveCommand netstat
@ -542,15 +515,14 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then
out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
output="$HEADER\n"
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]; | awk '$CHOOSE_ACTIVE' | $UNIQUE" >> "$TEE_DEST"
CMD_DESCRIBE_INTERFACE="eval ifconfig $iface ; netstat -b -I $iface"
output="$output$($CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk "$GET_ALL $PRINTF" name="$iface")\n"
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk "$GET_ALL $PRINTF" name="$iface"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | awk '$GET_ALL $PRINTF' name=$iface" >> "$TEE_DEST"
done
printf "$output" | column -t
fi
# jscpd:ignore-end

60
bin/interfaces_metric.sh
View file

@ -1,5 +1,4 @@
#!/bin/sh
# Copyright (C) 2025 Michael Erdely All Rights Reserved.
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
@ -7,8 +6,6 @@
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
assertHaveCommand column
HEADER='Name MAC inetAddr inet6Addr Collisions RXbytes RXerrors TXbytes TXerrors Speed Duplex OSName OS_version IP_address IPv6_Address'
FORMAT='{mac = length(mac) ? mac : "?"; collisions = length(collisions) ? collisions : "?"; RXbytes = length(RXbytes) ? RXbytes : "?"; RXerrors = length(RXerrors) ? RXerrors : "?"; TXbytes = length(TXbytes) ? TXbytes : "?"; TXerrors = length(TXerrors) ? TXerrors : "?"; speed = length(speed) ? speed : "?"; duplex = length(duplex) ? duplex : "?"}'
PRINTF='END {printf "%-10s %-17s %-15s %-42s %-10s %-16s %-16s %-16s %-16s %-12s %-12s %-35s %15s %-16s %-42s\n", name, mac, IPv4, IPv6, collisions, RXbytes, RXerrors, TXbytes, TXerrors, speed, duplex, OSName, OS_version, IP_address, IPv6_Address}'
@ -21,9 +18,9 @@ if [ "$KERNEL" = "Linux" ] ; then
queryHaveCommand ip
FOUND_IP=$?
if [ ! -f "/etc/os-release" ] ; then
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
else
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
fi
if [ $FOUND_IP -eq 0 ]; then
CMD_LIST_INTERFACES="eval ip -s a | tee $TEE_DEST|grep 'state UP' | grep mtu | grep -Ev lo | tee -a $TEE_DEST | cut -d':' -f2 | tee -a $TEE_DEST | cut -d '@' -f 1 | tee -a $TEE_DEST | sort -u | tee -a $TEE_DEST"
@ -262,7 +259,7 @@ if [ "$KERNEL" = "Linux" ] ; then
out=$($CMD_LIST_INTERFACES)
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
output="$HEADER\n"
echo "$HEADER"
fi
for iface in $out
do
@ -327,13 +324,12 @@ if [ "$KERNEL" = "Linux" ] ; then
fi
if [ "$DUPLEX" != 'error' ] && [ "$SPEED" != 'error' ]; then
# shellcheck disable=SC2086
output="$output$($CMD "$iface" | tee -a "$TEE_DEST" | awk $DEFINE "$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF" name="$iface" speed="$SPEED" duplex="$DUPLEX" mac="$MAC")\n"
$CMD "$iface" | tee -a "$TEE_DEST" | awk $DEFINE "$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF" name="$iface" speed="$SPEED" duplex="$DUPLEX" mac="$MAC"
echo "Cmd = [$CMD $iface]; | awk $DEFINE '$BEGIN $GET_MAC $GET_ALL $FILL_BLANKS $PRINTF' name=$iface speed=$SPEED duplex=$DUPLEX mac=$MAC" >> "$TEE_DEST"
else
echo "ERROR: cat command failed for interface $iface" >> "$TEE_DEST"
fi
done
printf "$output" | column -t
elif [ "$KERNEL" = "SunOS" ] ; then
assertHaveCommandGivenPath /usr/sbin/ifconfig
@ -355,7 +351,7 @@ elif [ "$KERNEL" = "SunOS" ] ; then
out=$($CMD_LIST_INTERFACES)
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
output="$HEADER\n"
echo "$HEADER"
fi
for iface in $out
do
@ -368,10 +364,9 @@ elif [ "$KERNEL" = "SunOS" ] ; then
CMD_DESCRIBE_INTERFACE="eval kstat -n $iface ; /usr/sbin/ifconfig $iface 2>/dev/null"
fi
# shellcheck disable=SC2086
output="$output$($CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK $DEFINE "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE")\n"
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK $DEFINE "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | $AWK $DEFINE '$GET_ALL $FORMAT $PRINTF' name=$iface node=$NODE" >> "$TEE_DEST"
done
printf "$output" | column -t
elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommandGivenPath /usr/sbin/ifconfig
assertHaveCommandGivenPath /usr/bin/netstat
@ -393,7 +388,7 @@ elif [ "$KERNEL" = "AIX" ] ; then
out=$($CMD_LIST_INTERFACES)
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
output="$HEADER\n"
echo "$HEADER"
fi
for iface in $out
do
@ -401,10 +396,9 @@ elif [ "$KERNEL" = "AIX" ] ; then
NODE=$(uname -n)
CMD_DESCRIBE_INTERFACE="eval netstat -v $iface ; /usr/sbin/ifconfig $iface"
# shellcheck disable=SC2086
output="$output$($CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK $DEFINE "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE")\n"
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | $AWK $DEFINE "$GET_ALL $FORMAT $PRINTF" name="$iface" node="$NODE"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | $AWK $DEFINE '$GET_ALL $FORMAT $PRINTF' name=$iface node=$NODE" >> "$TEE_DEST"
done
printf "$output" | column -t
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand ifconfig
assertHaveCommand netstat
@ -456,17 +450,16 @@ elif [ "$KERNEL" = "Darwin" ] ; then
out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
output="$HEADER\n"
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]; | awk '$CHOOSE_ACTIVE' | $UNIQUE" >> "$TEE_DEST"
CMD_DESCRIBE_INTERFACE="eval ifconfig $iface ; netstat -b -I $iface"
# shellcheck disable=SC2086
output="$output$($CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk $DEFINE "$GET_ALL $PRINTF" name="$iface")\n"
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk $DEFINE "$GET_ALL $PRINTF" name="$iface"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | awk $DEFINE '$GET_ALL $PRINTF' name=$iface" >> "$TEE_DEST"
done
printf "$output" | column -t
elif [ "$KERNEL" = "HP-UX" ] ; then
assertHaveCommand ifconfig
assertHaveCommand lanadmin
@ -488,33 +481,9 @@ elif [ "$KERNEL" = "HP-UX" ] ; then
out=$($CMD | awk "$LANSCAN_AWK $GET_IP4 $GET_IP6 $GET_SPEED_DUPLEX $PRINTF $FILL_BLANKS")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
printf "$HEADER\n$out\n" | column -t
echo "$HEADER"
echo "$out"
fi
elif [ "$KERNEL" = "OpenBSD" ] ; then
assertHaveCommand ifconfig
assertHaveCommand netstat
CMD_LIST_INTERFACES='ifconfig -a'
# shellcheck disable=SC2016
CHOOSE_ACTIVE='/^[a-z0-9]+: / {sub(":", "", $1); iface=$1} /media: / {print iface}'
UNIQUE='sort -u'
# shellcheck disable=SC2016
GET_MAC='{$1 == "lladdr" && mac = $2}'
# shellcheck disable=SC2016
GET_IP='/ (netmask|prefixlen) / {for (i=1; i<=NF; i++) {if ($i == "inet") IPv4 = $(i+1); if ($i == "inet6") IPv6 = $(i+1)}}'
out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST")
lines=$(echo "$out" | wc -l)
INT=$(netstat -nr | awk '$1 == "default" {print $NF; exit}')
IP4=$(ifconfig $INT | awk '$1=="inet"{print $2;p=1;exit}END{if (p!=1) print "<n/a>"}')
IP6=$(ifconfig $INT | awk '$1=="inet6" && $2!~/%vio0$/{print $2;p=1;exit}END{if (p!=1) print "<n/a>"}')
if [ "$lines" -gt 0 ]; then
output="$HEADER\n"
fi
for iface in $out
do
output="$output"$iface $(ifconfig $iface | awk "$GET_MAC $GET_IP END {printf \"%s %s %s\", mac, IPv4, IPv6}") $(echo $(netstat -bnI $iface -w1 | head -n4 | tail -n1) $(netstat -neI $iface -w1 | head -n4 | tail -n1) | awk "{printf \"%s %s %s %s %s\", \$9, \$1, \$6, \$2, \$8}") auto auto $(uname -s) $(uname -r) $IP4 $IP6\n"
done
printf "$output" | column -t
elif [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand ifconfig
assertHaveCommand netstat
@ -564,16 +533,15 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then
out=$($CMD_LIST_INTERFACES | tee "$TEE_DEST" | awk "$CHOOSE_ACTIVE" | $UNIQUE | tee -a "$TEE_DEST")
lines=$(echo "$out" | wc -l)
if [ "$lines" -gt 0 ]; then
output="$HEADER\n"
echo "$HEADER"
fi
for iface in $out
do
echo "Cmd = [$CMD_LIST_INTERFACES]; | awk '$CHOOSE_ACTIVE' | $UNIQUE" >> "$TEE_DEST"
CMD_DESCRIBE_INTERFACE="eval ifconfig $iface ; netstat -b -I $iface"
# shellcheck disable=SC2086
output="$output$($CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk $DEFINE "$GET_ALL $PRINTF" name="$iface")\n"
$CMD_DESCRIBE_INTERFACE | tee -a "$TEE_DEST" | awk $DEFINE "$GET_ALL $PRINTF" name="$iface"
echo "Cmd = [$CMD_DESCRIBE_INTERFACE]; | awk $DEFINE '$GET_ALL $PRINTF' name=$iface" >> "$TEE_DEST"
done
printf "$output" | column -t
fi
# jscpd:ignore-end

12
bin/iostat.sh
View file

@ -7,8 +7,6 @@
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
assertHaveCommand column
if [ "$KERNEL" = "Linux" ] ; then
CMD='iostat -xky 1 1'
assertHaveCommand "$CMD"
@ -24,12 +22,6 @@ elif [ "$KERNEL" = "AIX" ] ; then
assertHaveCommand "$CMD"
# considers the disks, kb_read and kb_wrtn columns and returns output of the second interval
FILTER='/^cd/ {next} /Disks/ && /Kb_read/ && /Kb_wrtn/ {f++;} f==2'
elif [ "$KERNEL" = "OpenBSD" ] ; then
CMD='systat -B iostat'
assertHaveCommand "$CMD"
HEADER="Device rB/s wB/s r/s w/s"
HEADERIZE="BEGIN {print \"$HEADER\"}"
FILTER=$HEADERIZE'/^[^ \t]/ && !/^(DEVICE|Totals)/{printf "%-7s %.2f %.2f %d %d\n", $1, $2/1024, $3/1024, $4, $5}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
CMD='iostat -x -c 2'
assertHaveCommand "$CMD"
@ -51,10 +43,10 @@ elif [ "$KERNEL" = "Darwin" ] ; then
LATENCY='function getLatency(disk) {read=getDeltaPS(disk,"Latency Time (Read)"); write=getDeltaPS(disk,"Latency Time (Write)"); return expr read + write;}'
FUNC2='function getAllDeltasPS(disk) {rReq_PS=getDeltaPS(disk,"Operations (Read)"); wReq_PS=getDeltaPS(disk,"Operations (Write)"); rKB_PS=getDeltaPS(disk,"Bytes (Read)")/1024; wKB_PS=getDeltaPS(disk,"Bytes (Write)")/1024; avgWaitMillis=getLatency(disk);}'
SCRIPT="$HEADERIZE $FILTER $FUNC1 $LATENCY $FUNC2 END {$FORMAT for (device in devices) {getAllDeltasPS(device); $PRINTF}}"
$CMD | tee "$TEE_DEST" | awk "$SCRIPT" header="$HEADER" | column -t
$CMD | tee "$TEE_DEST" | awk "$SCRIPT" header="$HEADER"
echo "Cmd = [$CMD]; | awk '$SCRIPT' header=\"$HEADER\"" >> "$TEE_DEST"
exit 0
fi
$CMD | tee "$TEE_DEST" | $AWK "$FILTER" | column -t
$CMD | tee "$TEE_DEST" | $AWK "$FILTER"
echo "Cmd = [$CMD]; | $AWK '$FILTER'" >> "$TEE_DEST"

18
bin/iostat_metric.sh
View file

@ -1,5 +1,4 @@
#!/bin/sh
# Copyright (C) 2025 Michael Erdely All Rights Reserved.
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
@ -8,15 +7,13 @@
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
assertHaveCommand column
if [ "$KERNEL" = "Linux" ] ; then
CMD='iostat -xky 1 1'
assertHaveCommand "$CMD"
if [ ! -f "/etc/os-release" ] ; then
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}')"
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1)"
else
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}')"
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1)"
fi
FILTER='/Device/ && /r\/s/ && /w\/s/ {f=1;}f'
# shellcheck disable=SC2016
@ -37,13 +34,6 @@ elif [ "$KERNEL" = "AIX" ] ; then
FILTER='/^cd/ {next} /Disks/ && /Kb_read/ && /Kb_wrtn/ {f++;} f==2'
# shellcheck disable=SC2016
PRINTF='{if ($0~/Disks/ && /Kb_read/ && /Kb_wrtn/) {printf "%s OSName OS_version IP_address \n", $0} else if (NF!=0) {printf "%s %s %s %s\n", $0, OSName, OS_version/1000, IP_address}}'
elif [ "$KERNEL" = "OpenBSD" ] ; then
CMD='systat -B iostat'
assertHaveCommand "$CMD"
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig $(netstat -nr | awk '$1 == "default" {print $NF; exit}') | awk '$1=="inet"{print $2;p=1;exit}END{if (p!=1) print "<n/a>"}')"
HEADER="Device rB/s wB/s r/s w/s OSName OS_version IP_address"
HEADERIZE="BEGIN {print \"$HEADER\"}"
FILTER=$HEADERIZE'/^[^ \t]/ && !/^(DEVICE|Totals)/{printf "%-7s %.2f %.2f %d %d %s %s %s\n", $1, $2/1024, $3/1024, $4, $5, OSName, OS_version, IP_address}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
CMD='iostat -x -c 2'
assertHaveCommand "$CMD"
@ -68,10 +58,10 @@ elif [ "$KERNEL" = "Darwin" ] ; then
FUNC2='function getAllDeltasPS(disk) {rReq_PS=getDeltaPS(disk,"Operations (Read)"); wReq_PS=getDeltaPS(disk,"Operations (Write)"); rKB_PS=getDeltaPS(disk,"Bytes (Read)")/1024; wKB_PS=getDeltaPS(disk,"Bytes (Write)")/1024; avgWaitMillis=getLatency(disk);}'
SCRIPT="$HEADERIZE $FILTER $FUNC1 $LATENCY $FUNC2 END {$FORMAT for (device in devices) {getAllDeltasPS(device); $PRINTF}}"
# shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | awk $DEFINE "$SCRIPT" header="$HEADER" | column -t
$CMD | tee "$TEE_DEST" | awk $DEFINE "$SCRIPT" header="$HEADER"
echo "Cmd = [$CMD]; | awk $DEFINE '$SCRIPT' header=\"$HEADER\"" >> "$TEE_DEST"
exit 0
fi
# shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$FILTER $PRINTF" | column -t
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$FILTER $PRINTF"
echo "Cmd = [$CMD]; | $AWK $DEFINE '$FILTER'" >> "$TEE_DEST"

11
bin/lastlog.sh
View file

@ -47,17 +47,6 @@ elif [ "$KERNEL" = "Darwin" ] ; then
latest = (NF >= 10 && ($7 == "gone" || $8 == "gone" || $9 == "gone")) ? $(NF-7) " " $(NF-6) " " $(NF-5) " " $(NF-4) : $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3);
duration = (NF >= 10 && $10 != "still" && $10 != "logged" && $10 != "running" && $10 != "in" && $10 != "" && $10 != "gone" && $10 != "no" && $10 != "logout") ? $10 : "N/A";
}'
elif [ "$KERNEL" = "OpenBSD" ] ; then
CMD='last'
# shellcheck disable=SC2016
FILTER='{if ($0 == "") exit; if ($1 ~ /reboot|shutdown/ || $1 in users) next; users[$1]=1}'
# shellcheck disable=SC2016
FORMAT='{
username = $1;
from = (NF>=10) ? $3 : "<console>";
latest = (NF >= 10 && ($7 == "gone" || $8 == "gone" || $9 == "gone")) ? $(NF-7) " " $(NF-6) " " $(NF-5) " " $(NF-4) : $(NF-6) " " $(NF-5) " " $(NF-4) " " $(NF-3);
duration = (NF >= 10 && $10 != "still" && $10 != "logged" && $10 != "running" && $10 != "in" && $10 != "" && $10 != "gone" && $10 != "no" && $10 != "logout") ? $10 : "N/A";
}'
elif [ "$KERNEL" = "HP-UX" ] ; then
CMD='lastb -Rx'
# shellcheck disable=SC2016

5
bin/lsof.sh
View file

@ -5,11 +5,6 @@
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
if [ "$KERNEL" = "OpenBSD" ] ; then
fstat | awk '/^USER/{print "COMMAND PID USER FD MOUNT"} $5 ~ /^\// {print $2, $3, $1, $4, $5} $5 !~ /^\// && !/^USER/ {print $2, $3, $1, $4, $5, $6, $7, $8, $9, $10, $11}'
exit 0
fi
assertHaveCommand lsof
CMD='lsof -nPs +c 0'

2
bin/netstat.sh
View file

@ -39,7 +39,7 @@ elif [ "$KERNEL" = "Darwin" ] ; then
FORMAT='{gsub("[46]", "", $1)}'
elif [ "$KERNEL" = "HP-UX" ] ; then
CMD='eval netstat -an | egrep "tcp|udp"'
elif [ "$KERNEL" = "FreeBSD" ] || [ "$KERNEL" = "OpenBSD" ] ; then
elif [ "$KERNEL" = "FreeBSD" ] ; then
# shellcheck disable=SC2089
CMD='eval netstat -an | egrep "tcp|udp"'
# shellcheck disable=SC2016

2
bin/nfsiostat.sh
View file

@ -5,8 +5,6 @@
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
assertHaveCommand column
HEADER='Mount Path r_op/s w_op/s r_KB/s w_KB/s rpc_backlog r_avg_RTT w_avg_RTT r_avg_exe w_avg_exe'
HEADERIZE="BEGIN {print \"$HEADER\"}"

2
bin/openPorts.sh
View file

@ -52,7 +52,7 @@ elif [ "$KERNEL" = "HP-UX" ] ; then
FORMAT='{gsub("[46]", "", $1); proto=$1; sub("^.*[^0-9]", "", $4); port=$4}'
# shellcheck disable=SC2016
FILTER='{if ($4 == "") next}'
elif [ "$KERNEL" = "FreeBSD" ] || [ "$KERNEL" = "OpenBSD" ] ; then
elif [ "$KERNEL" = "FreeBSD" ] ; then
# shellcheck disable=SC2089
CMD='eval netstat -ln | egrep "^tcp|^udp"'
HEADERIZE="BEGIN {print \"$HEADER\"}"

15
bin/package.sh
View file

@ -5,15 +5,12 @@
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
assertHaveCommand column
HEADER='NAME VERSION RELEASE ARCH VENDOR GROUP'
HEADERIZE="BEGIN {print \"$HEADER\"}"
PRINTF='{printf "%-55.55s %-20.20s %-20.20s %-10.10s %-30.30s %-20s\n", name, version, release, arch, vendor, group}'
CMD='echo There is no flavor-independent command...'
if [ "$KERNEL" = "Linux" ] ; then
OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2)
if $DEBIAN; then
CMD1="eval dpkg-query -W -f='"
# shellcheck disable=SC2016
@ -22,10 +19,6 @@ if [ "$KERNEL" = "Linux" ] ; then
CMD=$CMD1$CMD2$CMD3
# shellcheck disable=SC2016
FORMAT='{name=$1;version=$2;sub("\\.?[^0-9\\.:\\-].*$", "", version); release=$2; sub("^[0-9\\.:\\-]*","",release); if(release=="") {release="?"}; arch=$3; if (NF>3) {sub("^.*:\\/\\/", "", $4); sub("^www\\.", "", $4); sub("\\/.*$", "", $4); vendor=$4} else {vendor="?"} group="?"}'
elif [ "$OSName" = "Arch_Linux" ] || [ "$OSName" = "Arch_Linux_ARM" ]; then
CMD="eval pacman -Q"
# shellcheck disable=SC2016
FORMAT="{name=\$1;version=\$2; release=\"?\"; arch=\"$(eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/")\"; vendor=\"?\"; group=\"?\"}"
else
CMD='eval rpm --query --all --queryformat "%-56{name} %-21{version} %-21{release} %-11{arch} %-31{vendor} %-{group}\n"'
# shellcheck disable=SC2016
@ -53,12 +46,6 @@ elif [ "$KERNEL" = "HP-UX" ] ; then
FILTER='/^#/ {next} $1=="" {next}'
# shellcheck disable=SC2016
FORMAT='{release="?"; group="?"; vendor="?"; name=$1; version=$2; arch=$3} NF==4 {vendor=$4}'
elif [ "$KERNEL" = "OpenBSD" ] ; then
CMD=pkg_info
HEADER='NAME VERSION ARCH '
HEADERIZE="BEGIN {print \"$HEADER\"; arch=\"$(arch -s)\"}"
#PRINTF='{ printf "%-50s %-50s %s\n",$1,$2,$3}'
PRINTF='{name=gensub(/-[0-9].*$/,"",1,$1); suffix=gensub(/^.*-([0-9][^-]*)/,"",1,$1); if (suffix!="") suffix="," suffix; version=gensub(/^.*-([0-9][^-]*)-?.*$/,"\\1",1,$1); printf "%-50s %-50s %s\n", name suffix, version, arch}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
# the below syntax is valid when using zsh, bash, ksh
if [[ $KERNEL_RELEASE =~ 10.* ]] || [[ $KERNEL_RELEASE =~ 11.* ]] || [[ $KERNEL_RELEASE =~ 12.* ]] || [[ $KERNEL_RELEASE =~ 13.* ]]; then
@ -76,5 +63,5 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then
fi
assertHaveCommand "$CMD"
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $SEPARATE_RECORDS $PRINTF" header="$HEADER" | column -t
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FILTER $FORMAT $SEPARATE_RECORDS $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FILTER $FORMAT $SEPARATE_RECORDS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

6
bin/protocol.sh
View file

@ -5,8 +5,6 @@
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
assertHaveCommand column
CMD='netstat -s'
HEADER=' IPdropped TCPrexmits TCPreorder TCPpktRecv TCPpktSent UDPpktLost UDPunkPort UDPpktRecv UDPpktSent'
HEADERIZE="BEGIN {print \"$HEADER\"}"
@ -67,7 +65,7 @@ elif [ "$KERNEL" = "HP-UX" ] ; then
SECTION_TCP='inTCP && /retransmited$/ {TCPrexmits=$1} inTCP && /out of order/ {TCPreorder=$1} inTCP && /[0-9] packets received$/ {TCPpktRecv=$1} inTCP && /[0-9] packets sent$/ {TCPpktSent=$1}'
# shellcheck disable=SC2016
SECTION_UDP='inUDP && /packets received/ {UDPpktRecv=$1} inUDP && /packets sent/ {UDPpktSent=$1} inUDP && /packet receive errors/ {UDPpktLost=$1} inUDP && /packets to unknown port received/ {UDPunkPort=$1}'
elif [ "$KERNEL" = "FreeBSD" ] || [ "$KERNEL" = "OpenBSD" ] ; then
elif [ "$KERNEL" = "FreeBSD" ] ; then
# shellcheck disable=SC2016
FIGURE_SECTION='/^ip:$/ {inIP=1;inTCP=0;inUDP=0} /^tcp:$/ {inIP=0;inTCP=1;inUDP=0} /^udp:$/ {inIP=0;inTCP=0;inUDP=1} {if (NF==1 && $1 !~ /^ip:$|^udp:$|^tcp:$/) inIP=inTCP=inUDP=0}'
# shellcheck disable=SC2016
@ -79,5 +77,5 @@ elif [ "$KERNEL" = "HP-UX" ] ; then
fi
assertHaveCommand "$CMD"
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FIGURE_SECTION $COMMON $SECTION_IP $SECTION_TCP $SECTION_UDP $PRINTF" header="$HEADER" | column -t
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $FIGURE_SECTION $COMMON $SECTION_IP $SECTION_TCP $SECTION_UDP $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $FIGURE_SECTION $COMMON $SECTION_IP $SECTION_TCP $SECTION_UDP $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

2
bin/ps.sh
View file

@ -6,7 +6,7 @@
. "$(dirname "$0")"/common.sh
# shellcheck disable=SC2166
if [ "$KERNEL" = "Linux" -o "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" -o "$KERNEL" = "OpenBSD" ] ; then
if [ "$KERNEL" = "Linux" -o "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand ps
CMD='ps auxww'
elif [ "$KERNEL" = "AIX" ] ; then

9
bin/ps_metric.sh
View file

@ -1,5 +1,4 @@
#!/bin/sh
# Copyright (C) 2025 Michael Erdely All Rights Reserved.
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
@ -8,16 +7,16 @@
. "$(dirname "$0")"/common.sh
# shellcheck disable=SC2166
if [ "$KERNEL" = "Linux" -o "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" -o "$KERNEL" = "OpenBSD" ] ; then
if [ "$KERNEL" = "Linux" -o "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand ps
CMD='ps auxww'
if [ "$KERNEL" = "Linux" ] ; then
if [ ! -f "/etc/os-release" ] ; then
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
else
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}') -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1) -v IPv6_Address=$(ip -6 -brief address show scope global | xargs | cut -d ' ' -f 3 | cut -d '/' -f 1)"
fi
elif [ "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" -o "$KERNEL" = "OpenBSD" ] ; then
elif [ "$KERNEL" = "Darwin" -o "$KERNEL" = "FreeBSD" ] ; then
# Filters have been applied to get rid of IPv6 addresses designated for special usage to extract only the global IPv6 address.
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1) -v IPv6_Address=$(ifconfig -a | grep inet6 | grep -v ' ::1 ' | grep -v ' ::1/' | grep -v ' ::1%' | grep -v ' fe80::' | grep -v ' 2002::' | grep -v ' ff00::' | head -n 1 | xargs | cut -d '/' -f 1 | cut -d '%' -f 1 | cut -d ' ' -f 2)"
fi

13
bin/rlog.sh
View file

@ -1,5 +1,4 @@
#!/bin/sh
# Copyright (C) 2025 Michael Erdely All Rights Reserved.
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
#
@ -8,16 +7,10 @@
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
if [ -n "$SPLUNK_DB" ]; then
OLD_SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seekfile # For handling upgrade scenarios
SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seektime
else
# handle the case where this is not being run by the Splunk user from Splunk
OLD_SEEK_FILE=$HOME/.splunk_unix_audit_seekfile # For handling upgrade scenarios
SEEK_FILE=$HOME/.splunk_unix_audit_seektime
fi
CURRENT_AUDIT_FILE=/var/log/audit/audit.log # For handling upgrade scenarios
TMP_ERROR_FILTER_FILE=$(mktemp) # For filering out "no matches" error from stderr
SEEK_FILE=$SPLUNK_HOME/var/run/splunk/unix_audit_seektime
TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_rlog_error_tmpfile # For filering out "no matches" error from stderr
AUDIT_FILE="/var/log/audit/audit.log*"
if [ "$KERNEL" = "Linux" ] ; then
@ -63,8 +56,6 @@ elif [ "$KERNEL" = "Darwin" ] ; then
:
elif [ "$KERNEL" = "HP-UX" ] ; then
:
elif [ "$KERNEL" = "OpenBSD" ] ; then
:
elif [ "$KERNEL" = "FreeBSD" ] ; then
:
fi

3
bin/selinuxChecker.sh
View file

@ -1,12 +1,11 @@
#!/bin/sh
# Copyright (C) 2025 Michael Erdely All Rights Reserved.
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
TMP_ERROR_FILTER_FILE=$(mktemp) # For filtering out awk warning from stderr
TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_selinux_error_tmpfile # For filtering out awk warning from stderr
PRINTF='END {printf "%s app=selinux %s %s %s %s\n", DATE, FILEHASH, SELINUX, SELINUXTYPE, SETLOCALDEFS}'
if [ "$KERNEL" = "Linux" ] ; then

38
bin/service.sh
View file

@ -128,18 +128,9 @@ elif [ "$KERNEL" = "Darwin" ] ; then
CMD='eval date ; ls -1 /System/Library/StartupItems/ /Library/StartupItems/'
# Get per-user startup items
# shellcheck disable=SC2044
# For this to work properly when run as non-root, add a line to
# an /etc/sudoers.d file (eg - /etc/sudoers.d/splunk) like this:
# splunk ALL=(root) NOPASSWD: /usr/bin/find /Users -name loginwindow.plist
if [ $(id -u) != 0 ]; then
for PLIST_FILE in $(sudo -n /usr/bin/find /Users -name loginwindow.plist) ; do
for PLIST_FILE in $(find /Users -name "loginwindow.plist") ; do
CMD=$CMD' ; echo '$PLIST_FILE': ; defaults read '$PLIST_FILE
done
else
for PLIST_FILE in $(/usr/bin/find /Users -name loginwindow.plist) ; do
CMD=$CMD' ; echo '$PLIST_FILE': ; defaults read '$PLIST_FILE
done
fi
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# Retrieve path for system startup items
@ -196,33 +187,6 @@ elif [ "$KERNEL" = "Darwin" ] ; then
POSTPROCESS='END { if (SPLUNKD==0) { printf "%s app=\"Splunk\" StartMode=Disabled\n", DATE } }'
elif [ "$KERNEL" = "OpenBSD" ] ; then
# For this to work when running as a non-root user, add the following
# to /etc/doas.conf (replacing USERNAME with the user running the script):
# permit nopass USERNAME cmd /usr/sbin/rcctl args ls started
# permit nopass USERNAME cmd /usr/sbin/rcctl args ls failed
# permit nopass USERNAME cmd /usr/sbin/rcctl args ls rogue
if [ $(id -u) != 0 ]; then
failed=" $(doas -n /usr/sbin/rcctl ls failed) "
rogue=" $(doas -n /usr/sbin/rcctl ls rogue) "
running=" $(doas -n /usr/sbin/rcctl ls started) "
else
failed=" $(/usr/sbin/rcctl ls failed) "
rogue=" $(/usr/sbin/rcctl ls rogue) "
running=" $(/usr/sbin/rcctl ls started) "
fi
enabled=" $(/usr/sbin/rcctl ls on) "
for svc in $(/usr/sbin/rcctl ls all); do
enabled=false
echo $enabled | grep " $svc " && enabled=true
failed=false
echo $enabled | grep " $svc " && failed=true
rogue=false
echo $enabled | grep " $svc " && rogue=true
state=stopped
echo $enabled | grep " $svc " && state=running
date "+%a %b %e %H:%M:%S %Z %Y type=rcctl app=$svc, enabled=$enabled, failed=$failed, rogue=$rogue, running=$running"
done
else
# Exits
failUnsupportedScript

13
bin/setup.sh
View file

@ -1,5 +1,4 @@
#!/usr/bin/env bash
# Copyright (C) 2025 Michael Erdely All Rights Reserved.
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
@ -238,7 +237,7 @@ function show_inputs
script_list=$(get_script_list)
for line in $script_list; do
case "$line" in
*unix* | *TA-unix* ) get_scripted_input_status "$line"; input_counter=`expr $input_counter + 1`;
*unix* | *Splunk_TA_nix* ) get_scripted_input_status "$line"; input_counter=`expr $input_counter + 1`;
esac
done
echo ""
@ -268,7 +267,7 @@ function enable_all_inputs
fi
if [ "$res" == "success" ] && [[ ( $line != *"_metric"* || $flag == 1 ) ]]; then
case "$line" in
*unix* | *TA-unix* ) echo "enabling $line"; input_endpoint=$(build_scripted_input_endpoint "$line"); enable_scripted_input $input_endpoint;;
*unix* | *Splunk_TA_nix* ) echo "enabling $line"; input_endpoint=$(build_scripted_input_endpoint "$line"); enable_scripted_input $input_endpoint;;
esac
fi
done
@ -290,7 +289,7 @@ function disable_all_inputs
script_list=$(get_script_list)
for line in $script_list; do
case "$line" in
*unix* | *TA-unix* ) echo "disabling $line"; input_endpoint=$(build_scripted_input_endpoint "$line"); disable_scripted_input $input_endpoint;;
*unix* | *Splunk_TA_nix* ) echo "disabling $line"; input_endpoint=$(build_scripted_input_endpoint "$line"); disable_scripted_input $input_endpoint;;
esac
done
for line in $MONITOR_INPUTS; do
@ -389,7 +388,7 @@ function clone_all_inputs
script_list=$(get_script_list)
for line in $script_list; do
case "$line" in
*unix* | *TA-unix* ) echo ""; echo " cloning $line to $server_name"; echo ""; scripted_clone "$line"
*unix* | *Splunk_TA_nix* ) echo ""; echo " cloning $line to $server_name"; echo ""; scripted_clone "$line"
esac
done
for line in $MONITOR_INPUTS; do
@ -643,7 +642,7 @@ function select_input_menu
script_list=$(get_script_list)
for line in $script_list; do
case "$line" in
*unix* | *TA-unix* ) echo " $input_counter - $line"; selection_list[$input_counter]=$line; input_counter=`expr $input_counter + 1`;
*unix* | *Splunk_TA_nix* ) echo " $input_counter - $line"; selection_list[$input_counter]=$line; input_counter=`expr $input_counter + 1`;
esac
done
for line in $MONITOR_INPUTS; do
@ -883,7 +882,7 @@ function set_unix_app_info
for line in $app_output; do
case "$line" in
*unix* ) set_app_installed "unix";;
*TA-unix* ) set_app_installed "TA-unix";;
*Splunk_TA_nix* ) set_app_installed "Splunk_TA_nix";;
*ENABLED*) set_app_enabled;;
#*DISABLED*) set_app_disabled;;
esac

7
bin/setupservice.py
View file

@ -1,4 +1,3 @@
# Copyright (C) 2025 Michael Erdely All Rights Reserved.
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
@ -21,19 +20,19 @@ class SetupService(splunk.rest.BaseRestHandler):
sessionKey = self.sessionKey
try:
conf = bundle.getConf(
"app", sessionKey, namespace="TA-unix", owner="nobody"
"app", sessionKey, namespace="Splunk_TA_nix", owner="nobody"
)
stanza = conf.stanzas["install"].findKeys("is_configured")
if stanza:
if stanza["is_configured"] == "0" or stanza["is_configured"] == "false":
conf["install"]["is_configured"] = "true"
splunk.rest.simpleRequest(
"/apps/local/TA-unix/_reload", sessionKey=sessionKey
"/apps/local/Splunk_TA_nix/_reload", sessionKey=sessionKey
)
else:
conf["install"]["is_configured"] = "true"
splunk.rest.simpleRequest(
"/apps/local/TA-unix/_reload", sessionKey=sessionKey
"/apps/local/Splunk_TA_nix/_reload", sessionKey=sessionKey
)
except Exception as e:
self.response.write(e)

3
bin/sshdChecker.sh
View file

@ -6,9 +6,8 @@
. "$(dirname "$0")"/common.sh
SSH_CONFIG_FILE=""
if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "OpenBSD" ] ; then
if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] ; then
SSH_CONFIG_FILE=/etc/ssh/sshd_config
[ "$KERNEL" = "OpenBSD" ] && SPLUNK_HOME=/usr
elif [ "$KERNEL" = "Darwin" ] ; then
SSH_CONFIG_FILE=/etc/sshd_config
else

2
bin/time.sh
View file

@ -51,8 +51,6 @@ elif [ "$KERNEL" = "Darwin" ] && [ $FOUND_SNTP -eq 0 ] ; then # Mac OS 10.14.6 o
echo "CONFIG=$CONFIG, SERVER=$SERVER" >> "$TEE_DEST"
#With Chrony
elif [ "$KERNEL" = "OpenBSD" ]; then
CMD2="ntpctl -s all"
else
CMD2="chronyc -n sources"
fi

54
bin/update.sh
View file

@ -1,30 +1,22 @@
#!/bin/sh
# Copyright (C) 2025 Michael Erdely All Rights Reserved.
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
TMP_ERROR_FILTER_FILE=$(mktemp) # For filering out apt warning from stderr
TMP_ERROR_FILTER_FILE=$SPLUNK_HOME/var/run/splunk/unix_update_error_tmpfile # For filering out apt warning from stderr
if [ "$KERNEL" = "Linux" ] ; then
assertHaveCommand date
OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2)
OS_FILE=/etc/os-release
# Ubuntu doesn't have yum installed by default hence apt is being used to get the list of upgradable packages
if [ "$OSName" = "Ubuntu" ] || [ "$OSName" = "Debian_GNU/Linux" ]; then
if [ "$OSName" = "Ubuntu" ]; then
assertHaveCommand apt
assertHaveCommand sed
# For this to work properly, add a line to /etc/sudoers like this:
# splunk ALL=(root) NOPASSWD: /usr/bin/apt update
# Without the above line, 'apt list --upgradable' will not show updated packages unless the package databases were updated outside of this script
# sed command here replaces '/, [, ]' with ' '
if [ $(id -u) != 0 ]; then
CMD='eval date ; sudo -n /usr/bin/apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"'
else
CMD='eval date ; /usr/bin/apt update > /dev/null 2>&1 ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"'
fi
CMD='eval date ; eval apt list --upgradable | sed "s/\// /; s/\[/ /; s/\]/ /"'
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
# shellcheck disable=SC2016
@ -41,22 +33,6 @@ if [ "$KERNEL" = "Linux" ] ; then
# shellcheck disable=SC2016
PARSE_2='header_found { gsub(/[[:space:]]*\|[[:space:]]*/, "|"); split($0, arr, /\|/); printf "%s repository=%s package=%s current_package_version=%s latest_package_version=%s sles_architecture=%s\n", DATE, arr[2], arr[3], arr[4], arr[5], arr[6]}'
MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2"
elif [ "$OSName" = "Arch_Linux" ] || [ "$OSName" = "Arch_Linux_ARM" ]; then
assertHaveCommand checkupdates
assertHaveCommand sed
# For this to work properly, add a line to /etc/sudoers like this:
# splunk ALL=(root) NOPASSWD: /usr/bin/pacman -Syy
# Without the above line, checkupdates will not show updated packages unless the package databases were updated outside of this script (similar to Debian's apt update)
if [ $(id -u) != 0 ]; then
CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; sudo -n /usr/bin/pacman -Syy > /dev/null 2>&1 ; eval checkupdates'
else
CMD='eval date ; eval uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/"; /usr/bin/pacman -Syy > /dev/null 2>&1 ; eval checkupdates'
fi
# shellcheck disable=SC2016
PARSE_0='NR==1 {DATE=$0}'
PARSE_1='NR==2 {ARCH=$0}'
PARSE_2='NR>2 {printf "%s arch_architecture=%s package=%s current_package_version=%s latest_package_version=%s\n", DATE, ARCH, $1, $2, $4}'
MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2"
else
assertHaveCommand yum
@ -103,7 +79,7 @@ elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand date
assertHaveCommand softwareupdate
CMD='eval date ; softwareupdate -l 2>&1 | grep -v "XType: Using static font registry"'
CMD='eval date ; softwareupdate -l'
# shellcheck disable=SC2016
PARSE_0='NR==1 {
DATE=$0
@ -115,21 +91,15 @@ elif [ "$KERNEL" = "Darwin" ] ; then
# of the update. Otherwise, print the update.
# shellcheck disable=SC2016
PARSE_1='NR>1 && PROCESS==1 && $0 !~ /^[[:blank:]]*$/ {
if ( $1 == "Title:" ) {
line = $0;
gsub(/^.*Title: /, "", line);
gsub(/, Version:.*$/, "", line);
PACKAGE="package=\"" line "\""
version = $0;
gsub(/^.*Title: [^,]+, Version: /, "", version);
gsub(/, Size:.*$/, "", version);
VERSION="latest_package_version=\"" version "\""
if ( $0 ~ /^[[:blank:]]*\*/ ) {
PACKAGE="package=\"" substr($0, index($0,$3)) "\""
RECOMMENDED=""
RESTART=""
TOTAL=TOTAL+1
if ( $0 ~ /Recommended: YES/ ) { RECOMMENDED="is_recommended=\"true\"" }
if ( $0 ~ /Action: restart/ ) { RESTART="restart_required=\"true\"" }
printf "%s %s %s %s\n", DATE, PACKAGE, VERSION, RECOMMENDED, RESTART
} else {
if ( $0 ~ /Recommended/ ) { RECOMMENDED="is_recommended=\"true\"" }
if ( $0 ~ /restart/ ) { RESTART="restart_required=\"true\"" }
printf "%s %s %s %s\n", DATE, PACKAGE, RECOMMENDED, RESTART
}
}'
@ -145,10 +115,6 @@ elif [ "$KERNEL" = "Darwin" ] ; then
MESSAGE="$PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3"
elif [ "$KERNEL" = "OpenBSD" ] ; then
CMD="eval pkg_add -usv 2>&1 | grep -vE '(Adding quirks-|pkg_add should be run as root)' | grep ^Adding | sed -E 's/^Adding ([^:]+:)?(.*)->(.*)\(pretending\)/\2 \3/' | while read pkg ver; do name=\$(pkg_info -P \$pkg | grep -A1 ^Pkgpath:|tail -n1|cut -d/ -f2-); date \"+%a %b %e %H:%M:%S %Z %Y arch_architecture=\$(arch -s) package=\$name current_package_version=\$(echo \$pkg | sed -E \"s/\$name-//\") latest_package_version=\$ver\"; done"
#CMD="eval for f in \$(pkg_add -usv 2>&1 | grep -vE \"(Adding quirks-|pkg_add should be run as root)\" | grep ^Adding | sed -E \"s/^Adding ([^:]+:)?(.*)->(.*)\(pretending\)/\2 \3/\"); do echo \$f; done"
MESSAGE="{print}"
else
# Exits
failUnsupportedScript

2
bin/uptime.sh
View file

@ -18,7 +18,7 @@ fi
# This should work for any POSIX-compliant system, but in case it doesn't
# we have left the individual OS names here to be broken out later on.
if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "AIX" ] || [ "$KERNEL" = "HP-UX" ] || [ "$KERNEL" = "Darwin" ] || [ "$KERNEL" = "FreeBSD" ] || [ "$KERNEL" = "OpenBSD" ] ; then
if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "AIX" ] || [ "$KERNEL" = "HP-UX" ] || [ "$KERNEL" = "Darwin" ] || [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand date
assertHaveCommand ps
CMD='eval date; LC_ALL=POSIX ps -o etime= -p 1'

11
bin/version.sh
View file

@ -8,20 +8,13 @@
PRINTF='END {printf "%s %s %s %s %s %s %s %s %s\n", DATE, MACH_HW_NAME, MACH_ARCH_NAME, OS_REL, OS_NAME, OS_VER, KERNEL_NAME, KERNEL_VERSION, KERNEL_RELEASE}'
if [ "$KERNEL" = "Linux" ] ; then
if [ "$KERNEL" = "Linux" ] || [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "FreeBSD" ] ; then
assertHaveCommand date
assertHaveCommand uname
VERSION=$(grep "^VERSION=" /etc/*-release | cut -d= -f2 | sed 's/^["]*//;s/["]*$//' | paste -sd " " -)
NAME=$(grep "^NAME=" /etc/*-release | cut -d= -f2 | sed 's/^["]*//;s/["]*$//' | paste -sd " " -)
VERSION_ID=$(grep "^VERSION_ID=" /etc/*-release | cut -d= -f2 | sed 's/^["]*//;s/["]*$//' | paste -sd " " -)
MACHINE_ARCH=$(uname -p)
which dpkg > /dev/null 2>&1 && MACHINE_ARCH=$(dpkg --print-architecture)
which pacman > /dev/null 2>&1 && MACHINE_ARCH=$(uname -m | sed -r "s/(armv7l|aarch64)/arm64/;s/x86_64/amd64/") && VERSION=rolling && VERSION_ID=rolling
CMD="eval date ; eval uname -m ; echo \"$VERSION\" ; echo \"$NAME\" ; echo \"$VERSION_ID\" ; echo \"$MACHINE_ARCH\" ; eval uname -s ; eval uname -v ; eval uname -r"
elif [ "$KERNEL" = "SunOS" ] || [ "$KERNEL" = "FreeBSD" ] || [ "$KERNEL" = "OpenBSD" ] ; then
assertHaveCommand date
assertHaveCommand uname
CMD='eval date ; eval uname -m ; eval uname -r ; echo $KERNEL ; eval uname -r; eval uname -p ; eval uname -s ; eval uname -v ; eval uname -r;'
CMD="eval date ; eval uname -m ; echo \"$VERSION\" ; echo \"$NAME\" ; echo \"$VERSION_ID\" ; eval uname -p ; eval uname -s ; eval uname -v ; eval uname -r"
elif [ "$KERNEL" = "Darwin" ] ; then
# Darwin-macos uses sw_vers for os version, name and release switch.
assertHaveCommand date

44
bin/vmstat.sh
View file

@ -1,13 +1,10 @@
#!/bin/sh
# Copyright (C) 2025 Michael Erdely All Rights Reserved.
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
assertHaveCommand column
# hardware.sh is called in all commands to get CPU counts. The CPU count is required to determine
# the number of threads that waited for execution time. CPU count accounts for hyperthreaded cores so
# (load average - CPU count) gives a reasonable estimate of how many threads were waiting to execute.
@ -29,7 +26,7 @@ if [ "$KERNEL" = "Linux" ] ; then
# shellcheck disable=SC2016
PARSE_1='/total memory$/ {memTotalMB=$1/1024} /free memory$/ {memFreeMB+=$1/1024} /buffer memory$/ {memFreeMB+=$1/1024} /swap cache$/ {memFreeMB+=$1/1024}'
# shellcheck disable=SC2016
PARSE_2='/(K|pages) paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}'
PARSE_2='/pages paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}'
# shellcheck disable=SC2016
PARSE_3='/interrupts$/ {interrupts=$1} /CPU context switches$/ {cSwitches=$1} /forks$/ {forks=$1}'
# shellcheck disable=SC2016
@ -129,9 +126,9 @@ elif [ "$KERNEL" = "HP-UX" ] ; then
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand sysctl
assertHaveCommand top
assertHaveCommand vm_stat
assertHaveCommand sar
# shellcheck disable=SC2016
CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; vm_stat | awk "/Pageouts:/{print \"pgpageout \" \$NF}/^Swapouts:/{print \"pgswapout \" \$NF}"; vm_stat -c5 1 | tail -n -4 | awk "{pi=pi+\$19;po=po+\$20;si=si+\$21;so=so+\$22}END{printf \"pginps %.2f pgoutps %.2f swinps %.2f swoups %.2f\n\",pi/4,po/4,si/4,so/4}"'
CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; sar -gp 1 2'
FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}'
# shellcheck disable=SC2016
PARSE_0='/^hw.memsize:/ {memTotalMB=$2 / (1024*1024)}'
@ -140,39 +137,24 @@ elif [ "$KERNEL" = "Darwin" ] ; then
# shellcheck disable=SC2016
PARSE_2='/^vm.swapusage:/ {swapUsed=toMB($7); swapFree=toMB($10)}'
# shellcheck disable=SC2016
PARSE_3='/^pgpageout / {pgPageOut=0+$2}'
PARSE_3='/^VM:/ {pgPageOut=0+$7}'
if $OSX_GE_SNOW_LEOPARD; then
# shellcheck disable=SC2016
PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-1)}'
else
# shellcheck disable=SC2016
PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-2)}'
fi
# shellcheck disable=SC2016
PARSE_5='/^Load Avg:/ {loadAvg1mi=0+$3}'
# shellcheck disable=SC2016
PARSE_6='/^CPU_COUNT/ {cpuCount=$2}'
# shellcheck disable=SC2016
PARSE_7='$1 == "pginps" {pgPageIn_PS=$2;pgPageOut_PS=$4;pgSwapIn=$6;pgSwapOut=$8}'
PARSE_7='($0 ~ "Average" && $1 ~ "pgout*") {next} {pgPageOut_PS=$2}'
# shellcheck disable=SC2016
PARSE_8='/^pgswapout / {pgSwapOut=0+$2}'
PARSE_8='($0 ~ "Average" && $1 ~ "pgin*") {next} {pgPageIn_PS=$2}'
MASSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8 $DERIVE"
FILL_BLANKS='END {cSwitches=interrupts=interrupts_PS=forks="0"}'
elif [ "$KERNEL" = "OpenBSD" ] ; then
# shellcheck disable=SC2016
CMD='eval sysctl -n hw.physmem ; vmstat -s ; top -Sb 0; `dirname $0`/hardware.sh'
FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}'
# shellcheck disable=SC2016
PARSE_0='(NR==1) {memTotalMB=$1 / (1024*1024)}'
# shellcheck disable=SC2016
PARSE_1='/pages being paged out$/ {pgPageOut+=$1} /forks$/ {forks+=$1} /cpu context switches$/ {cSwitches+=$1} /interrupts$/ {interrupts+=$1}'
# shellcheck disable=SC2016
PARSE_2='/load averages:/ {loadAvg1mi=$3} /^[0-9]+ processes: / {processes=$1}'
# shellcheck disable=SC2016
PARSE_3='/Swap: / { split($10, a, "/"); swapTotal=toMB(a[2]); swapUsed=toMB(a[1]); swapFree=swapTotal-swapFree; } /^Memory: / {memFreeMB=toMB($6)}'
# shellcheck disable=SC2016
PARSE_4='/^CPU_COUNT/ {cpuCount=$2}'
# shellcheck disable=SC2016
PARSE_5='($3 ~ "INTR") {nr1[NR+3]} NR in nr1 {interrupts_PS=$3}'
# shellcheck disable=SC2016
PARSE_6='($3 ~ "pgpgin*") {nr2[NR+3]} NR in nr2 {pgPageIn_PS=$3; pgPageOut_PS=$4}'
MASSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $DERIVE"
FILL_BLANKS='END {threads=pgSwapOut="?"}'
FILL_BLANKS='END {pgSwapOut=cSwitches=interrupts=interrupts_PS=forks="?"}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
# shellcheck disable=SC2016
CMD='eval sysctl hw.physmem ; vmstat -s ; top -Sb 0; `dirname $0`/hardware.sh'
@ -195,5 +177,5 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then
FILL_BLANKS='END {threads=pgSwapOut="?"}'
fi
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF" header="$HEADER" | column -t
$CMD | tee "$TEE_DEST" | $AWK "$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF" header="$HEADER"
echo "Cmd = [$CMD]; | $AWK '$HEADERIZE $MASSAGE $FILL_BLANKS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

49
bin/vmstat_metric.sh
View file

@ -1,13 +1,10 @@
#!/bin/sh
# Copyright (C) 2025 Michael Erdely All Rights Reserved.
# SPDX-FileCopyrightText: 2024 Splunk, Inc.
# SPDX-License-Identifier: Apache-2.0
# shellcheck disable=SC1091
. "$(dirname "$0")"/common.sh
assertHaveCommand column
# hardware.sh is called in all commands to get CPU counts. The CPU count is required to determine
# the number of threads that waited for execution time. CPU count accounts for hyperthreaded cores so
# (load average - CPU count) gives a reasonable estimate of how many threads were waiting to execute.
@ -26,16 +23,16 @@ if [ "$KERNEL" = "Linux" ] ; then
# shellcheck disable=SC2016
CMD='eval uptime ; ps -e | wc -l ; ps -eT | wc -l ; vmstat -s ; `dirname $0`/hardware.sh; sar -B 1 2; sar -I SUM 1 2'
if [ ! -f "/etc/os-release" ] ; then
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(ip -4 route show default | awk '{print $9}')"
DEFINE="-v OSName=$(cat /etc/*release | head -n 1| awk -F" release " '{print $1}'| tr ' ' '_') -v OS_version=$(cat /etc/*release | head -n 1| awk -F" release " '{print $2}' | cut -d\. -f1) -v IP_address=$(hostname -I | cut -d\ -f1)"
else
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep -E '\b(VERSION|BUILD)_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(ip -4 route show default | awk '{print $9}')"
DEFINE="-v OSName=$(cat /etc/*release | grep '\bNAME=' | cut -d '=' -f2 | tr ' ' '_' | cut -d\" -f2) -v OS_version=$(cat /etc/*release | grep '\bVERSION_ID=' | cut -d '=' -f2 | cut -d\" -f2) -v IP_address=$(hostname -I | cut -d\ -f1)"
fi
# shellcheck disable=SC2016
PARSE_0='NR==1 {loadAvg1mi=0+$(NF-2)} NR==2 {processes=$1} NR==3 {threads=$1}'
# shellcheck disable=SC2016
PARSE_1='/total memory$/ {memTotalMB=$1/1024} /free memory$/ {memFreeMB+=$1/1024} /buffer memory$/ {memFreeMB+=$1/1024} /swap cache$/ {memFreeMB+=$1/1024}'
# shellcheck disable=SC2016
PARSE_2='/(K|pages) paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}'
PARSE_2='/pages paged out$/ {pgPageOut=$1} /used swap$/ {swapUsed=$1} /free swap$/ {swapFree=$1} /pages swapped out$/ {pgSwapOut=$1}'
# shellcheck disable=SC2016
PARSE_3='/interrupts$/ {interrupts=$1} /CPU context switches$/ {cSwitches=$1} /forks$/ {forks=$1}'
# shellcheck disable=SC2016
@ -139,9 +136,9 @@ elif [ "$KERNEL" = "HP-UX" ] ; then
elif [ "$KERNEL" = "Darwin" ] ; then
assertHaveCommand sysctl
assertHaveCommand top
assertHaveCommand vm_stat
assertHaveCommand sar
# shellcheck disable=SC2016
CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; vm_stat | awk "/Pageouts:/{print \"pgpageout \" \$NF}/^Swapouts:/{print \"pgswapout \" \$NF}"; vm_stat -c5 1 | tail -n -4 | awk "{pi=pi+\$19;po=po+\$20;si=si+\$21;so=so+\$22}END{printf \"pginps %.2f pgoutps %.2f swinps %.2f swoups %.2f\n\",pi/4,po/4,si/4,so/4}"'
CMD='eval sysctl hw.memsize ; sysctl vm.swapusage ; top -l 1 -n 0; `dirname $0`/hardware.sh; sar -gp 1 2'
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}'
# shellcheck disable=SC2016
@ -151,40 +148,24 @@ elif [ "$KERNEL" = "Darwin" ] ; then
# shellcheck disable=SC2016
PARSE_2='/^vm.swapusage:/ {swapUsed=toMB($7); swapFree=toMB($10)}'
# shellcheck disable=SC2016
PARSE_3='/^pgpageout / {pgPageOut=0+$2}'
PARSE_3='/^VM:/ {pgPageOut=0+$7}'
if $OSX_GE_SNOW_LEOPARD; then
# shellcheck disable=SC2016
PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-1)}'
else
# shellcheck disable=SC2016
PARSE_4='/^Processes:/ {processes=$2; threads=$(NF-2)}'
fi
# shellcheck disable=SC2016
PARSE_5='/^Load Avg:/ {loadAvg1mi=0+$3}'
# shellcheck disable=SC2016
PARSE_6='/^CPU_COUNT/ {cpuCount=$2}'
# shellcheck disable=SC2016
PARSE_7='$1 == "pginps" {pgPageIn_PS=$2;pgPageOut_PS=$4;pgSwapIn=$6;pgSwapOut=$8}'
PARSE_7='($0 ~ "Average" && $1 ~ "pgout*") {next} {pgPageOut_PS=$2}'
# shellcheck disable=SC2016
PARSE_8='/^pgswapout / {pgSwapOut=0+$2}'
PARSE_8='($0 ~ "Average" && $1 ~ "pgin*") {next} {pgPageIn_PS=$2}'
MESSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $PARSE_7 $PARSE_8 $DERIVE"
FILL_BLANKS='END {cSwitches=interrupts=interrupts_PS=forks="0"}'
elif [ "$KERNEL" = "OpenBSD" ] ; then
# shellcheck disable=SC2016
CMD='eval sysctl -n hw.physmem ; vmstat -s ; top -Sb 0; `dirname $0`/hardware.sh'
DEFINE="-v OSName=$(uname -s) -v OS_version=$(uname -r) -v IP_address=$(ifconfig -a | grep 'inet ' | grep -v 127.0.0.1 | cut -d\ -f2 | head -n 1)"
FUNCS='function toMB(s) {n=0+s; if (index(s,"K")) {n /= 1024} if (index(s,"G")) {n *= 1024} return n}'
# shellcheck disable=SC2016
PARSE_0='(NR==1) {memTotalMB=$1 / (1024*1024)}'
# shellcheck disable=SC2016
PARSE_1='/pages being paged out$/ {pgPageOut+=$1} /forks$/ {forks+=$1} /cpu context switches$/ {cSwitches+=$1} /interrupts$/ {interrupts+=$1}'
# shellcheck disable=SC2016
PARSE_2='/load averages:/ {loadAvg1mi=$3} /^[0-9]+ processes: / {processes=$1}'
# shellcheck disable=SC2016
PARSE_3='/Swap: / { split($10, a, "/"); swapTotal=toMB(a[2]); swapUsed=toMB(a[1]); swapFree=swapTotal-swapFree; } /^Memory: / {memFreeMB=toMB($6)}'
# shellcheck disable=SC2016
PARSE_4='/^CPU_COUNT/ {cpuCount=$2}'
# shellcheck disable=SC2016
PARSE_5='($3 ~ "INTR") {nr1[NR+3]} NR in nr1 {interrupts_PS=$3}'
# shellcheck disable=SC2016
PARSE_6='($3 ~ "pgpgin*") {nr2[NR+3]} NR in nr2 {pgPageIn_PS=$3; pgPageOut_PS=$4}'
MESSAGE="$FUNCS $PARSE_0 $PARSE_1 $PARSE_2 $PARSE_3 $PARSE_4 $PARSE_5 $PARSE_6 $DERIVE"
FILL_BLANKS='END {threads=pgSwapOut="?"}'
FILL_BLANKS='END {pgSwapOut=cSwitches=interrupts=interrupts_PS=forks="?"}'
elif [ "$KERNEL" = "FreeBSD" ] ; then
# shellcheck disable=SC2016
CMD='eval sysctl hw.physmem ; vmstat -s ; top -Sb 0; `dirname $0`/hardware.sh'
@ -208,5 +189,5 @@ elif [ "$KERNEL" = "FreeBSD" ] ; then
FILL_BLANKS='END {threads=pgSwapOut="?"}'
fi
# shellcheck disable=SC2086
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$HEADERIZE $MESSAGE $FILL_BLANKS $FILL_DIMENSIONS $PRINTF " header="$HEADER" | column -t
$CMD | tee "$TEE_DEST" | $AWK $DEFINE "$HEADERIZE $MESSAGE $FILL_BLANKS $FILL_DIMENSIONS $PRINTF " header="$HEADER"
echo "Cmd = [$CMD]; | $AWK $DEFINE '$HEADERIZE $MESSAGE $FILL_BLANKS $FILL_DIMENSIONS $PRINTF' header=\"$HEADER\"" >> "$TEE_DEST"

20
default/app.conf
View file

@ -7,24 +7,24 @@
[install]
is_configured = false
state = enabled
build = 1738793362
build = 1738357282
[ui]
setup_view = ta_nix_configuration
is_visible = true
label = Technical Add-on for Unix and Linux
label = Splunk Add-on for Unix and Linux
docs_section_override = AddOns:released
[launcher]
author = Michael Erdely
version = 10.0.0.1
description = Technical Add-on for Unix and Linux
author = Splunk, Inc.
version = 10.0.0
description = Splunk Add-on for Unix and Linux
#[package]
#id = TA-unix
#check_for_updates = true
[package]
id = Splunk_TA_nix
check_for_updates = true
[id]
name = TA-unix
version = 10.0.0.1
name = Splunk_TA_nix
version = 10.0.0

5
default/data/ui/views/ta_nix_configuration.env_cloud.xml
View file

@ -4,12 +4,11 @@
-->
<dashboard script="setup_cloud.js" stylesheet="setup.css" version="1.1">
<label>Technical Add-on for Unix and Linux: Setup</label>
<label>Splunk Add-on for Unix and Linux: Setup</label>
<row>
<panel>
<html>
<p>Please set up this add-on on your forwarders. Documentation on how to configure this add-on,
which is the same as the Splunk Add-on for Unix and Linux, is
<p>Please set up this add-on on your forwarders. Documentation on how to configure this add-on is
<a target="_blank" href="http://docs.splunk.com/Documentation/UnixAddOn/latest/User/DeploytheSplunkAdd-onforUnixandLinuxinadistributedSplunkenvironment">here</a>.
<br/>
Click on below button, if you are getting redirected to this page while editing the add-on's knowledge object.

10
default/data/ui/views/ta_nix_configuration.xml
View file

@ -10,15 +10,15 @@
|| It has no effect on Splunk Enterprise.
-->
<dashboard script="setup.js" stylesheet="setup.css" isVisible="false" version="1.1">
<label>Technical Add-on for Unix and Linux: Setup</label>
<label>Splunk Add-on for Unix and Linux: Setup</label>
<row>
<html>
<p id="overview">
The Technical Add-on for Unix and Linux provides pre-built data inputs to facilitate
The Splunk Add-on for Unix and Linux provides pre-built data inputs to facilitate
Linux and Unix system monitoring using Splunk. Check out the
<a href="https://git.erdelynet.com/mike/TA-unix" target="_blank">
Technical Add-on for Unix and Linux
</a> page
<a href="http://apps.splunk.com/app/833/" target="_blank">
Splunk for Unix Technical Add-on
</a> page on <a href="http://apps.splunk.com/" target="_blank">Splunkbase</a>
for support information, the latest updates, and more.
</p>

6
default/eventtypes.conf
View file

@ -8,7 +8,7 @@
search = NOT *
[nix_ta_data]
search = eventtype=nix_ta_custom_eventtype OR (sourcetype IN (docker_metric, vmstat_metric, iostat_metric, ps_metric, df_metric, interfaces_metric, cpu_metric, docker, vmstat, iostat, ps, top, netstat, bandwidth, protocol, openPorts, time, lsof, df, who, usersWithLoginPrivs, lastlog, interfaces, cpu, auditd, package, hardware, bash_history, Unix:ListeningPorts, Unix:UserAccounts, Linux:SELinuxConfig, Unix:Service, Unix:SSHDConfig, Unix:Update, Unix:Uptime, Unix:Version, Unix:VSFTPDConfig, config_file, dhcpd, nfsiostat, ignored_type, aix_secure, osx_secure, linux_secure, linux_audit, syslog) OR source IN (/Library/Logs/*, /var/log/*, /var/adm/*, /etc/*))
search = eventtype=nix_ta_custom_eventtype OR (sourcetype IN (vmstat_metric, iostat_metric, ps_metric, df_metric, interfaces_metric, cpu_metric, vmstat, iostat, ps, top, netstat, bandwidth, protocol, openPorts, time, lsof, df, who, usersWithLoginPrivs, lastlog, interfaces, cpu, auditd, package, hardware, bash_history, Unix:ListeningPorts, Unix:UserAccounts, Linux:SELinuxConfig, Unix:Service, Unix:SSHDConfig, Unix:Update, Unix:Uptime, Unix:Version, Unix:VSFTPDConfig, config_file, dhcpd, nfsiostat, ignored_type, aix_secure, osx_secure, linux_secure, linux_audit, syslog) OR source IN (/Library/Logs/*, /var/log/*, /var/adm/*, /etc/*))
###### Globals ######
[nix_security]
@ -112,10 +112,6 @@ search = sourcetype=time
[usersWithLoginPrivs]
search = sourcetype=usersWithLoginPrivs
[docker]
search = sourcetype=docker
#tags = performance os avail unix report docker
[vmstat]
search = sourcetype=vmstat
#tags = performance os avail unix report vmstat resource success memory

12
default/inputs.conf
View file

@ -4,12 +4,6 @@
##
##
[script://./bin/docker_metric.sh]
sourcetype = docker_metric
source = docker
interval = 60
disabled = 1
[script://./bin/vmstat_metric.sh]
sourcetype = vmstat_metric
source = vmstat
@ -50,12 +44,6 @@ disabled = 1
############### Event Inputs ###################
################################################
[script://./bin/docker.sh]
interval = 60
sourcetype = docker
source = docker
disabled = 1
[script://./bin/vmstat.sh]
interval = 60
sourcetype = vmstat

19
default/props.conf
View file

@ -91,15 +91,6 @@ FIELDALIAS-dest_nt_host = dest_host as dest_nt_host
## Scripted Metric Inputs
#########################
[docker_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER = ([\r\n]+)
KV_MODE = json
NO_BINARY_CHECK = true
TRUNCATE=1000000
TRANSFORMS-docker-metric-dimensions=eval_dimensions
METRIC-SCHEMA-TRANSFORMS=metric-schema:extract_metrics_docker
[vmstat_metric]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
@ -523,14 +514,6 @@ TRUNCATE=1000000
DATETIME_CONFIG = CURRENT
KV_MODE=multi
[docker]
SHOULD_LINEMERGE=false
LINE_BREAKER=(^$|[\r\n]+)
TRUNCATE=1000000
KV_MODE = json
FIELDALIAS-dest_for_docker = host as dest
FIELDALIAS-src_for_docker = host as src
[vmstat]
LINE_BREAKER=(^$|[\r\n]+[\r\n]+)
TRUNCATE=1000000
@ -574,7 +557,7 @@ FIELDALIAS-dest = host as dest
# Stanzas in this section are legacy configuration stanzas
# intended to support parsing of data created by scripts in
# TA-deploymentapps, which has since been retired. Systems that use
# TA-unix on the search head but which may be searching data
# Splunk_TA_nix on the search head but which may be searching data
# from forwarders on which the older scripts are still in use should
# be able to search new and old data seamlessly.

3
default/tags.conf
View file

@ -274,6 +274,7 @@ network = enabled
session = enabled
end = enabled
## Authentication
[eventtype=sshd_authentication]
authentication = enabled
remote = enabled
@ -664,7 +665,7 @@ os = enabled
# Stanzas in this section are legacy configuration stanzas
# intended to support parsing of data created by scripts in
# TA-deploymentapps, which has since been retired. Systems that use
# TA-unix on the search head but which may be searching data
# Splunk_TA_nix on the search head but which may be searching data
# from forwarders on which the older scripts are still in use should
# be able to search new and old data seamlessly.

9
default/transforms.conf
View file

@ -183,9 +183,6 @@ REGEX=[[dhcp_prefix_src]]reuse_lease:\s+lease\s+age.*under.*threshold,\s+reply\s
# Support for omitting the IPv6 Address field when the script output doesn't include an IPv6 Address
INGEST_EVAL = metric_name=sourcetype, entity_type="TA_Nix", OS_name=replace(OSName, "_", " "), IPv6_address = if(IPv6_Address=="?", null(), IPv6_Address)
#[extract_docker_metrics]
#INGEST_EVAL= CPUPct=CPUPct,MemUsage=MemUsage,MemTotal=MemTotal,MemPct=MemPct,NetRX=NetRX,RXps=RXps,NetTX=NetTX,TXps=TXps,BlockRead=BlockRead,BRps=BRps,BlockWrite=BlockWrite,BWps=BWps,Pids=Pids
[extract_df_metrics]
INGEST_EVAL = UsePct=coalesce('UsePct','Capacity','Use'), Size_KB=coalesce('Size','1K_blocks','1024_blocks'), Used_KB='Used', Avail_KB=coalesce('Avail','Available'), INodes=coalesce('INodes','Inodes'), IUsed=coalesce('IUsed','iused','Iused'), IFree=coalesce('IFree','ifree','Ifree'), IUsePct=coalesce('IUsePct','IUse'), Size=coalesce('Size','1K_blocks','1024_blocks'), Avail=coalesce('Avail','Available'), Type=coalesce('Type',"?")
@ -211,10 +208,6 @@ METRIC-SCHEMA-BLACKLIST-DIMS= OSName
METRIC-SCHEMA-MEASURES= memTotalMB,memFreeMB,memUsedMB,memFreePct,memUsedPct,pgPageOut,swapUsedPct,pgSwapOut,cSwitches,interrupts,forks,processes,threads,loadAvg1mi,waitThreads,interrupts_PS,pgPageIn_PS,pgPageOut_PS
METRIC-SCHEMA-BLACKLIST-DIMS= OSName
[metric-schema:extract_metrics_docker]
METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_version
METRIC-SCHEMA-BLACKLIST-DIMS= OSName
[metric-schema:extract_metrics_df]
METRIC-SCHEMA-MEASURES= _NUMS_EXCEPT_ OS_name, OS_version, IP_address, Filesystem, Type, MountedOn, IPv6_Address, IPv6_address
METRIC-SCHEMA-BLACKLIST-DIMS= IPv6_Address
@ -531,7 +524,7 @@ FORMAT = signature::$1
# Stanzas in this section are legacy configuration stanzas
# intended to support parsing of data created by scripts in
# TA-deploymentapps, which has since been retired. Systems that use
# TA-unix on the search head but which may be searching data
# Splunk_TA_nix on the search head but which may be searching data
# from forwarders on which the older scripts are still in use should
# be able to search new and old data seamlessly.

153
docs/ReleaseNotes.md
View file

@ -1,153 +0,0 @@
# Technical Add-on for Unix and Linux
## Version 10.0.0.1 (2025-02-19)
Fix report CPU_TYPE in hardware.sh for RPIs
Changes:
* For CPU_TYPE in hardware.sh, report something if /proc/cpuinfo does not
contain processor model information
## Version 10.0.0.0 (2025-02-05)
Merge in Splunk Add-On for Unix and Linux version 10.0.0
## Version 9.2.0.13 (2025-02-03)
Fix alignment and fix packages for Arch Linux
Changes:
* Align columns with "column -t"
* Add Arch Linux support in packages.sh
## Version 9.2.0.12 (2025-01-25)
Add Version to update.sh for Darwin
Changes:
* Add version to update.sh for Darwin
## Version 9.2.0.11 (2025-01-25)
Fix Darwin Scripts and Document Sudo
Changes:
* Use sudo in service.sh for Darwin to find user services if not running as root
* Fix parsing the output of softwareupdate command on Darwin in update.sh
* Better document usage of sudo in docs/Sudo.md
## Version 9.2.0.10 (2025-01-25)
Fix OpenBSD Support and Other Bugs
Changes:
* Fix OpenBSD cpu.sh output to match others
* Fix OpenBSD df.sh output (no need for %% here)
* Do not use sudo or doas when running as root
* Use #!/usr/bin/env bash to support OpenBSD in run_nix_ta_commands
* Fix rsyslog example to trim whitespace in run_nix_ta_commands
* Add /usr/local/sbin:/usr/local/bin to PATH in run_nix_ta_commands
* Fix getting hour and minute for OpenBSD in run_nix_ta_commands
"08" shows up to printf as octal
* Support difference in OpenBSD logger command:
Requires modifying /etc/syslog.conf and setting facility in /etc/nix_ta.conf
## Version 9.2.0.9 (2025-01-25)
Support OpenBSD
Changes:
* Add OpenBSD support to the scripts
* Fix sysctl usage for FreeBSD in a couple places
## Version 9.2.0.8 (2025-01-23)
Fix df.sh and df_metric.sh
Changes:
* Fix Linux when df outputs a "-"
* Exclude efivars partitions for Linux
* Fix the output on Darwin to match Linux output
## Version 9.2.0.7 (2025-01-20)
Fix run_nix_ta_commands script
Changes:
* Make run_nix_ta_commands (in extra) use /etc/nix_ta.conf for its settings
instead of hard-coding them in the script
## Version 9.2.0.6 (2025-01-17)
Fix docker script and props
Changes:
* Fix output for docker script (handle lines that didn't have values)
* Fix props.conf LINE_BREAKER for docker
## Version 9.2.0.5 (2025-01-11)
Add script for docker events/metrics and support running TA outside of Splunk
Changes:
* Add docker.sh and docker_metric.sh for collecting docker events/metrics
* Add helper script to extra/ to run the TA commands on systems without
a Splunk forwarder. The commands can be sent to a syslog server.
This script is useful for systems with small or read-only filesystems that
cannot support a Universal Forwarder.
* Add syslog_inputs_nix_ta app to extra/ for ingesting the data from syslog
## Version 9.2.0.4 (2025-01-11)
Make distro_name work everywhere
Changes:
* For MacOS, print MacOS for distro_name
* For others, print $KERNEL for distro_name
## Version 9.2.0.3 (2025-01-11)
Fix bug in 9.2.0.2
Changes:
* Add code I forgot for machine_arch for Linux
* Add Makefile to make making releases easier
## Version 9.2.0.2 (2025-01-11)
Improvements for version.sh
Changes:
* Include kernel_release, kernel_version, and distro_name
* For Linux and MacOS, use actual OS versions/releases instead of
kernel version/release
## Version 9.2.0.1 (2025-01-09)
Initial fork of the Splunk Add-on for Unix and Linux
Changes:
* Use ip command to determine IP address
('hostname -I' does not work on all Linux systems)
* Filter out multiple listing of the same btrfs volume
* Use mktemp for temp files (for times when the TA may be run outside of Splunk)
* If running rlog.sh outside of Splunk, use $HOME to store seek file
* Debian also uses apt
* Arch Linux uses pacman
* Add use of sudo -n for 'apt update' and 'pacman -Syy'
* vmstat uses "K paged out"
* Replace the use of 'sar' with netstat and vm_stat for MacOS

45
docs/Sudo.md
View file

@ -1,45 +0,0 @@
# Sudo Usage
Some commands may need to use sudo or doas to execute. Below is documentation
for those cases.
## MacOS/Darwin service.sh
The service.sh script searches users' home directories and a splunk user does
not have rights to do that.
Create a file like /etc/sudoers.d/splunk and add:
```
splunk ALL=(root) NOPASSWD: /usr/bin/find /Users -name loginwindow.plist
```
## Docker
Either add the splunk user to the docker group or run the command with sudo.
To make sudo work, create a file like /etc/sudoers.d/splunk and add:
```
splunk ALL=(root) NOPASSWD: /usr/bin/docker stats --no-stream --no-trunc --all
splunk ALL=(root) NOPASSWD: /usr/bin/docker ps --all --no-trunc --format *
splunk ALL=(root) NOPASSWD: /usr/bin/docker inspect -f *
```
## Debian/Ubuntu apt update
A splunk user does not have the ability to update the package cache.
To make sudo work, create a file like /etc/sudoers.d/splunk and add:
```
splunk ALL=(root) NOPASSWD: /usr/bin/apt update
```
## Arch Linux pacman update cache
A splunk user does not have the ability to update the package cache.
To make sudo work, create a file like /etc/sudoers.d/splunk and add:
```
splunk ALL=(root) NOPASSWD: /usr/bin/pacman -Syy
```

180
extra/run_nix_ta_commands
View file

@ -1,180 +0,0 @@
#!/usr/bin/env bash
# This script allows getting the Techical Add-on for Unix and Linux data into
# Splunk from systems that are not running a Splunk Universal Forwarder.
# This is useful for systems with small or read-only file-systems.
#
# ## Sample rsyslog.conf:
# # Config for handling remote logs
# template(name="RemoteLogs" type="string" string="/share/syslog/%FROMHOST%/%$.myprogramname%/%$.myprogramname%-%$YEAR%-%$MONTH%-%$DAY%.log")
# # Write raw messages for splunk logs
# template(name="RawMessageOnly" type="string" string="%$.mymsg%\n")
# # Look for logs with nix_ta to apply RawMessagesOnly and send to RemoteLogs
# if ($syslogtag startswith 'nix_ta_') then {
# set $.mymsg = ltrim(rtrim(replace($msg, "#011", " ")));
# action(type="omfile" dynaFile="RemoteLogs" template="RawMessageOnly"
# fileCreateMode="0644" dirCreateMode="0755"
# fileOwner="root" fileGroup="splunk"
# dirOwner="root" dirGroup="splunk")
# stop
# }
# # End of sample rsyslog.conf
#
# ## run_nix_ta_commands configuration file
# * Create a new file (/etc/nix_ta.conf) with the following settings in it
# * ta_home: The directory you copied the Technical Add-on for Unix and Linux files
# * tag_prefix: The events will be sent to syslog with ${tag_prefix}SCRIPTNAME as a tag
# * syslog_server: The UDP syslog server to send events to
# * run_minute: For scripts that have intervals over an hour, which minute to run them
# * run_hour: For scripts that run once a day, which hour to run them
# * facility: For logger commands like OpenBSD that do not support pointing to a syslog_server directly
# Set to something like "local3.info"
#
# ## Using syslog facility instead of specifying a syslog server with logger
# Using $facility when logger does not support specifying $syslog_server:
# Modify local syslog server to send logs for $facility to the $syslog_server
# On OpenBSD, an example for /etc/syslog.conf is:
# local3.* @192.168.1.1
#
# ## Cron job example:
# * * * * * /path/to/script/run_nix_ta_commands
# Ensure the logger command is available
which logger > /dev/null 2>&1 || { echo "Error: The logger command is required for this script"; exit; }
# Ensure PATH has correct paths
export PATH=$PATH:/usr/local/sbin:/usr/local/bin
# Example/default settings -- override in /etc/nix_ta.conf
ta_home=/srv/TA-unix
tag_prefix=nix_ta_
syslog_server=192.168.1.1
run_minute=2
run_hour=6
facility=
[ -r /etc/nix_ta.conf ] && . /etc/nix_ta.conf
# Get the current minute now to be consistent through the script run
minute=$(printf "%d" $((10#$(date +%M))))
# Get the current hour now to be consistent through the script run
hour=$(printf "%d" $((10#$(date +%H))))
# Set defaults disabling force-mode and list-mode
force=0
list=0
usage() {
echo "usage: $(basename $0) [-h] [-f] [-l] [script]"
echo " -h: print this help text"
echo " -f: run all enabled scripts regardless of interval"
echo " -l: list scripts, enabled status, and interval (if enabled)"
exit
}
# Get the command line options
while getopts ":hlf" opt; do
case $opt in
f) force=1 ;;
l) list=1 ;;
*) usage ;;
esac
done
shift $((OPTIND -1))
# Function to actually run the script and pipe it to logger
runit() {
[ -z "$1" ] && return 1
if [ -x $ta_home/bin/$1.sh ]; then
if [ -n "$facility" ]; then
{ $ta_home/bin/$1.sh 2> /dev/null; echo; } | logger -p $facility -t ${tag_prefix}$(echo $1|tr '[A-Z]' '[a-z]')
else
{ $ta_home/bin/$1.sh 2> /dev/null; echo; } | logger -n $syslog_server -t ${tag_prefix}$(echo $1|tr '[A-Z]' '[a-z]')
fi
else
echo Could not find $1 in $ta_home/bin
return 1
fi
}
# Check the inputs.conf to see if any of the checks are disabled
declare -A scripts
declare -A intervals
# Load defaults first
if [ -r $ta_home/default/inputs.conf ]; then
eval $(awk -F '[=#]' '
/^\[/{name=""}
/^\[script:\/\//{n=split($1,a,"/");name=gensub(/\.[a-z]+\]/,"",1,a[n]);printf "scripts[%s]=1\nintervals[%s]=60\n",name,name}
name!="" && $1~/(^|\s*)disabled(\s*|$)/ {disabled=gensub(/(^ | $)/,"","g",gensub(/true/,"1",1,gensub(/false/,"0",1,$2)));printf "scripts[%s]=%s\n",name,disabled}
name!="" && $1~/(^|\s*)interval(\s*|$)/ {interval=gensub(/(^ | $)/,"","g",$2);printf "intervals[%s]=%s\n",name,interval}
' $ta_home/default/inputs.conf)
fi
# See if any defaults are overridden in the local directory
if [ -r $ta_home/local/inputs.conf ]; then
eval $(awk -F '[=#]' '
/^\[/{name="";disabled=1;interval=60}
/^\[script:\/\//{n=split($1,a,"/");name=gensub(/\.[a-z]+\]/,"",1,a[n])}
name!="" && $1~/(^|\s*)disabled(\s*|$)/ {disabled=gensub(/(^ | $)/,"","g",gensub(/true/,"1",1,gensub(/false/,"0",1,$2)));printf "scripts[%s]=%s\n",name,disabled}
name!="" && $1~/(^|\s*)interval(\s*|$)/ {interval=gensub(/(^ | $)/,"","g",$2);printf "intervals[%s]=%s\n",name,interval}
' $ta_home/local/inputs.conf)
fi
# If -l, just print the scripts
if [ $list = 1 ]; then
for script in "${!scripts[@]}"; do
if [ "${scripts[$script]}" = "0" ]; then
echo "$script is enabled (${intervals[$script]} seconds)"
else
echo "$script is disabled"
fi
done
exit
fi
# If a script is specified on the command line, run it (even if disabled)
if [ "$1" ]; then
runit $1
exit
fi
# Without -l or -f, loop through the enabled scripts and run them at their interval
for script in "${!scripts[@]}"; do
# Only run enabled scripts
if [ "${scripts[$script]}" = "0" ]; then
i=${intervals[$script]}
[ $i -lt 60 ] && i=60
min=$((i/60))
# If -f, always run each script
if [ $force = 1 ]; then
runit $script
# If interval is 60 seconds or less, run every minute
elif [ $min -le 1 ]; then
runit $script
# If the current minute is divisible by the number of interval minutes, run
# example: 600 is 5 minutes, it'll run at 0, 5, 10, 15, ... minutes
elif [ $((minute % min)) = 0 ]; then
runit $script
# If interval is an hour or more
elif [ $min -gt 60 ]; then
hr=$((i/60/60))
# If interval is 1 hour or less, run every hour on $run_minute
if [ $hr -le 1 ] && [ $minute = $run_minute ]; then
runit $script
# If the current hour is divisible by the number of interval hours, run
# example: 21600 is 6 hours, it'll run at 0, 6, 12, 18 hours
elif [ $((hour % hr)) = 0 ] && [ $minute = $run_minute ]; then
runit $script
# If the number of hours is 24 or more, run every day at $run_hour:$run_minute
elif [ $hr -ge 24 ] && [ $hour = $run_hour ] && [ $minute = $run_minute ]; then
runit $script
fi
fi
fi
done

4
extra/syslog_inputs_nix_ta/metadata/default.meta
View file

@ -1,4 +0,0 @@
# Application-level permissions
[]
access = read : [ * ], write : [ admin , sc_admin ]
export = system

359
splunkbase.manifest Normal file
View file

@ -0,0 +1,359 @@
{
"version": "1.0",
"date": "2025-02-04T11:38:22.666904374Z",
"hashAlgorithm": "SHA-256",
"app": {
"id": 833,
"version": "10.0.0",
"files": [
{
"path": "LICENSES/Apache-2.0.txt",
"hash": "d3910dee6fe9fe134856d76268fe82adb1ade1ecf51b3568b7da6b94894b88f3"
},
{
"path": "LICENSES/LicenseRef-Splunk-8-2021.txt",
"hash": "37906d637abbbeca35cfb2efcb658cabbc0208d101848372c1e55fbf9ba62e47"
},
{
"path": "README/restmap.conf.spec",
"hash": "5cc8f9508cd792137e1a2129763dd78e9275a0c2f8d3cf7fc25b72848a07d869"
},
{
"path": "README.txt",
"hash": "106e6203d3ff66f04cac953385cb517cff459b572f8d52adf71a8a59c5851776"
},
{
"path": "THIRDPARTY",
"hash": "e30015ede460c622a205889b17874cd7261a7903442be1750b982cde6de5ab52"
},
{
"path": "VERSION",
"hash": "cda5bf0ca405341ecb098ba217bbcf8b4b2e83dc54d559b623093b211e3ee413"
},
{
"path": "app.manifest",
"hash": "672bddb913818d3f15a6762f41b5dd0dcef93de2c0758e0d0340ca3f6b1cf15f"
},
{
"path": "appserver/static/appIcon.png",
"hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a"
},
{
"path": "appserver/static/components/js_sdk_extensions/common.js",
"hash": "295fe307ec286b9b4eb89c4b59dbd6204376e63b7346c26fd1b087446db372c2"
},
{
"path": "appserver/static/components/js_sdk_extensions/monitor_inputs.js",
"hash": "27af704acaeb3b98c78ad5322a6171e1b748b5650be809f5d92a4e5618529123"
},
{
"path": "appserver/static/components/js_sdk_extensions/scripted_inputs.js",
"hash": "6fe5d6f31a60a86d9988170e1641f13eb315351f890c2247c6de83b3aa372e26"
},
{
"path": "appserver/static/setup.css",
"hash": "f27882e6a07bbd87f99f95d77211439e71959efae6d52ce4771ce26d06e0bcc9"
},
{
"path": "appserver/static/setup.js",
"hash": "a3d4e2567779b605a97daa3ced2fc49a8e487a5ec4ee95080392824eb74e7e11"
},
{
"path": "appserver/static/setup_cloud.js",
"hash": "00875c907fd0dc80fa5d05130c28410a8abd99a0ff43da86c6af87e01d8a21da"
},
{
"path": "bin/bandwidth.sh",
"hash": "14682eacdc5ab8849ce3e786c05d0140ea166b6f28403106e433048c09533146"
},
{
"path": "bin/common.sh",
"hash": "6569707362169122ec6a41c9345ed00e09e0913e3855ccb68a21ade3c1c9012d"
},
{
"path": "bin/cpu.sh",
"hash": "5d1bc8ba07595872eee78d55136c1bd419a9b63aafd1a10ded78ee3ef186782d"
},
{
"path": "bin/cpu_metric.sh",
"hash": "30b3d257d73ff3e656c8f8b414cbec0afe0ac52838a7a5a2db3f1d64f74211ee"
},
{
"path": "bin/df.sh",
"hash": "27b0ad779340e6bd8a26e296ce9b0b9cd2721eaadcf4669e5579560a676c9db7"
},
{
"path": "bin/df_metric.sh",
"hash": "4457b92d8d8ee24441eb38df2134113f5a821111b7c3573b48313adcee39d3e8"
},
{
"path": "bin/hardware.sh",
"hash": "20e341826d21047e9cc3b7cd632422f6b9a0364282333616c1f912b4dddb7093"
},
{
"path": "bin/interfaces.sh",
"hash": "ebdd6823f6db05bc76ebdbfb61d1fda63959fd334cf59d2e038ea7bae64355b7"
},
{
"path": "bin/interfaces_metric.sh",
"hash": "9458deb6ba4c56a22264df75d42945e170f6f1a729d93220617c85810733ef19"
},
{
"path": "bin/iostat.sh",
"hash": "505a4694c4879fd8ed155394be51431c9839fc9f980077abb0416f844f09d722"
},
{
"path": "bin/iostat_metric.sh",
"hash": "4af68e89e6a93fa34ccd724ff78a509b7868bc06e60a4f16a6aa24d300d8efc8"
},
{
"path": "bin/lastlog.sh",
"hash": "1c52c7e734cdc91a9644c243131e6e82e301f48ff4a4c8b88e68ed69917e6233"
},
{
"path": "bin/lsof.sh",
"hash": "a98a9c64496a081c395e00b692f5eca25ae186cc050c0f31d5425a561fdc63a1"
},
{
"path": "bin/netstat.sh",
"hash": "a5ef9833cf21c6572431f32991d153a625510a4b0553fe6f56d07bb4f4914b2e"
},
{
"path": "bin/nfsiostat.sh",
"hash": "c2f50340c82964bcf18710ed787b72354ebf83eacbcdb7b9a58e28c2299802d8"
},
{
"path": "bin/openPorts.sh",
"hash": "9f7cb2a7f9e8b43ceb7e22930ea125855e64527caa13d76b5c219ec473b899c5"
},
{
"path": "bin/openPortsEnhanced.sh",
"hash": "d7e19798aec7fb3244b6fe36fce28ca3fc8951a0e38d0516f5ef8c1b06197246"
},
{
"path": "bin/package.sh",
"hash": "d9da2664cc2b913285d595e7c74dab9e5a6f1703d44e8f517e9b62a5ba70496a"
},
{
"path": "bin/passwd.sh",
"hash": "4ab37e3c9d07842777ed42f8b22adfe8fe05a9ab0758e833fdc885a26237bafe"
},
{
"path": "bin/protocol.sh",
"hash": "61e372f670cb74131890a2c0ff381891c83337687b6809f31bf920a99f5bd432"
},
{
"path": "bin/ps.sh",
"hash": "3a6ebc99c1b5207d54c885338cf06b22f343c1f64a6048d03fd0bf48b82d41b5"
},
{
"path": "bin/ps_metric.sh",
"hash": "0c3dc356f47728b9b99be79fffe40256eded1644f599b1bbe8b1a9e8db05b10d"
},
{
"path": "bin/rlog.sh",
"hash": "271fcaf091527670df3e794c29d7bf57d1371909c72c25d56c79dd136b029513"
},
{
"path": "bin/selinuxChecker.sh",
"hash": "07135df789924f8d4f5ae8228ccbfe0a5e47756de202fcf00a019a12712d8312"
},
{
"path": "bin/service.sh",
"hash": "d579051391bd1af365bdda6016e3529009e0e7b62e1846fdcdb755b36f0d7c49"
},
{
"path": "bin/setup.sh",
"hash": "b0263d112fa183411bfe141840d697217025856d44fa67be6d14b240728b7062"
},
{
"path": "bin/setupservice.py",
"hash": "c69d1b0b4a10ec966c2e752b7ec1c3f4be5ca3721626bbab62ddfe1509d15137"
},
{
"path": "bin/sshdChecker.sh",
"hash": "ba9ada21b413a1f7ea5ab7850314e96b03c8a3369267af24d9cf2d8f76edb6dc"
},
{
"path": "bin/time.sh",
"hash": "1072cf254e0aa99bfbfd25bf95ba93d5679bcbc16287d60c11a16103998ca2cd"
},
{
"path": "bin/top.sh",
"hash": "f380506de00a3bb51d9351108057e498cd8211e3ade7c16fa65121d3ff66ba1d"
},
{
"path": "bin/update.sh",
"hash": "ebf6c54aa23d171d4204981f82a3e32125ce02a02ae592b939c7ddff375afd71"
},
{
"path": "bin/uptime.sh",
"hash": "2770952e0c29a92e37d2d23a8a93223812e2facd4597c50e3e832439fdbdf600"
},
{
"path": "bin/usersWithLoginPrivs.sh",
"hash": "0006baa9bc57e6b5711e557b6532b8c48b29d42bca6364d664042d2aa6f2cf12"
},
{
"path": "bin/version.sh",
"hash": "a9e28c5ddd56a8b25da85ab7c4bb3dec939401ad210453b39209c059a9d735d2"
},
{
"path": "bin/vmstat.sh",
"hash": "b816aa5e67ad18b995eb577e16ca7c91ae3ecdeeb019d0b79321ade83a90daef"
},
{
"path": "bin/vmstat_metric.sh",
"hash": "47df351e2afd7abedb49f8d38f5350ce6276fdb512005ba56e7ff9692f581515"
},
{
"path": "bin/vsftpdChecker.sh",
"hash": "0009c03f72289e5b7b692cb74951382d1a6d4c3698ef5b08b74e468f3dfe199f"
},
{
"path": "bin/who.sh",
"hash": "47318dee6246abfd577984383ac134225a84e0dcf0753413f88b7f2be5a8087d"
},
{
"path": "default/app.conf",
"hash": "bf761213f1ac3ce27e3391dc22a82db31f00f7afbeac4961aea849448ec60fa3"
},
{
"path": "default/data/ui/nav/default.xml",
"hash": "36078398f91fa377c21f2369271797cc0016b8ba1a6f271e327cce2809f2711d"
},
{
"path": "default/data/ui/views/ta_nix_configuration.env_cloud.xml",
"hash": "7176b693e2eeb2757d6a5a9651e793141a52b5b36f4b229c31f4ab3e970e8510"
},
{
"path": "default/data/ui/views/ta_nix_configuration.xml",
"hash": "2d30308510e08aea0a190984fda45b708ab373768796494202a4813c37ef74d2"
},
{
"path": "default/eventtypes.conf",
"hash": "a7796bdb4f40330bf674c34d8f45a67151cd7e5bdadeaa46b7fca1c4e122d07a"
},
{
"path": "default/inputs.conf",
"hash": "0eff320f7aba6d35e27e8a0ae0837ad6c4340f9e84a9cdfb71e8162a97ecc782"
},
{
"path": "default/macros.conf",
"hash": "0daf589bcfbd430f45b55ed3f3d0784f8ad6e79d75300fac9c2604a79fc7f4dc"
},
{
"path": "default/props.conf",
"hash": "194b6dbb7b228c2d0e124f64a5ee8a137a7fdbb56681b78418f513821f09e0c1"
},
{
"path": "default/restmap.conf",
"hash": "2774f5332efc8bfeebb88a1d771b8d65cca9197666d0c5e9a4a371b8ed468d73"
},
{
"path": "default/tags.conf",
"hash": "f055d2f3fd959b0af6c48b0494dadc36009b7a90fb5d1a83e0e6784c898d8e05"
},
{
"path": "default/transforms.conf",
"hash": "7d57050a65dd01efba192a5e74bbf74d9bfb54a240608ac265e57423c000b5ff"
},
{
"path": "default/web.conf",
"hash": "75f12a6541d22c27d526ab544973398ae4b6d5aa1e57e8e4b22e845e564a2e56"
},
{
"path": "lookups/nix_da_update_status.csv",
"hash": "a9a794b39377946e0dcb5f70c9c8ba6114fec1728512c9f39cfb0f3eca46159c"
},
{
"path": "lookups/nix_da_version_ranges.csv",
"hash": "992529c548d8273e073a988d089fbd5c7fa5c1ef47d51243e9da9dfb77eba6d2"
},
{
"path": "lookups/nix_linux_audit_action_object_category.csv",
"hash": "5838950fd3cade537dea91d1dcdcbd10532457fa7de07d397bfc699e56a19867"
},
{
"path": "lookups/nix_linux_service_startmodes.csv",
"hash": "dd669b358909f4d9be9d0aef9f4720e78a290e422a90ec3e3cdabe39ed9b8be2"
},
{
"path": "lookups/nix_vendor_actions.csv",
"hash": "f287b03905a705fed92dd4a1d1cf060c16b9521aba80b06494af8d5e8530fa97"
},
{
"path": "metadata/default.meta",
"hash": "6fa3057938996152cdfeddb46b20a1c079966ba87a56cf7c13c9d35f3caaf2e7"
},
{
"path": "static/appIcon.png",
"hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a"
},
{
"path": "static/appIconAlt.png",
"hash": "6cb62d7fd2d90e69d66c3e4fbede9692f9d650176a7a9ec06edd4026f1de580a"
},
{
"path": "static/appIconAlt_2x.png",
"hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c"
},
{
"path": "static/appIconLg.png",
"hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c"
},
{
"path": "static/appIconLg_2x.png",
"hash": "11ca7ef68587f5f1bacbbcb24b85924089724bcf02610b512f899fadac186f34"
},
{
"path": "static/appIcon_2x.png",
"hash": "d7ad6f1263583f5b280b52be4f8806b0d22a4aa6e328a0209212697b6734570c"
}
]
},
"products": [
{
"platform": "splunk",
"product": "enterprise",
"versions": [
"9.1",
"9.2",
"9.3",
"9.4"
],
"architectures": [
"x86_64"
],
"operatingSystems": [
"windows",
"linux",
"macos",
"freebsd",
"solaris",
"aix"
]
},
{
"platform": "splunk",
"product": "cloud",
"versions": [
"9.1",
"9.2",
"9.3",
"9.4"
],
"architectures": [
"x86_64"
],
"operatingSystems": [
"windows",
"linux",
"macos",
"freebsd",
"solaris",
"aix"
]
}
]
}