I created .sh scripts that do the following: #!/bin/bash # Name of the service to monitor SERVICE_NAME="tomcat9" # Check if the service is running SERVICE_STATUS=$(systemctl is-active "$SERVICE_NAME.service") # Output status for Splunk if [ "$SERVICE_STATUS" == "active" ]; then echo "$(date): Service $SERVICE_NAME is running." else echo "$(date): Service $SERVICE_NAME is NOT running." fi The above is obviously what Im using for Tomcat but I have others all doing the thing just different service names. These scripts reside in: /opt/splunkforwarder/bin/scripts Additionally I have configured these scripts to be run in /opt/splunkforwarder/etc/system/local/inputs.conf an example of what that looks like is below: [script:///opt/splunkforwarder/bin/scripts/monitor_service_<service_name>.sh] disabled = false interval = 60 index = services sourcetype = service_status As you can see I also have configured the following: index = services sourcetype = service_status These are also configured in Splunk Enterprise respectively and the index is configured for Search, in linux  Splunk is the owner and the group is also Splunk. Additionally all of the scripts are executable and successfully run when I test them, however none of this data seems to be passed from the forwarder as none of the expected data is returned including the recognition of the index and sourcetype in Search.  Additionally I have attached a screen capture of splunkd.log showing the scripts as being recognized.   ... View more

Hi All,   I've installed the Splunk Add-on for Unix and Linux in both Splunk Enterprise as well as my forwarder which is running 9.3.2  However I keep running into this error below: 12-19-2024 15:54:30.303 +0000 ERROR ExecProcessor [1376795 ExecProcessor] - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/vmstat_metric.sh" /opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/hardware.sh: line 62: /opt/splunkforwarder/var/run/splunk/tmp/unix_hardware_error_tmpfile: No such file or directory   The above is coming from the splunkd.log after I have stopped and restarted the SplunkForwarder.service.  I am very new to Splunk and do not posses any certifications.  My company has tasked me with learning and configuring Splunk and I am enjoying it except I am unable to get this data sent to my indexer so that I can see the data in Search and Reporting.   These are the steps taken so far: Installed Splunk Add-on for Unix and Linux on my enterprise UI machine installed Splunk Add-on for Unix and Linux on my unvf As the local directory was not created at "/opt/splunkforwarder/etc/apps/Splunk_TA_nix/" I created it and copied the inputs.conf from default to local and then allowed the scripts I wanted. Made sure the Splunk user was owner and had the privileges needed to the local directory stopped the splunk service and restarted it. Ran -  cat /opt/splunkforwarder/var/log/splunk/splunkd.log | grep ERROR Almost every Error is "unix_hardware_error_tmpfile: No such file or directory" if I create the tmpfile it disappears and is not recreated I'm sure there are many other things I didnt mention because I honestly dont remember because I have been trying to figure this issue out since yesterday and am not getting anywhere.  PLEASE HELP! ... View more