The Splunk App for Unix 5.0 is finally here!

| history | search app=”*nix”

Those of you who have been Splunk users for more than 4 years remember the glorious launch of the original Splunk App for Unix.  Back in those days, the app shipped with the core product alongside the Splunk App for Windows and had some pretty cutting edge features, including knowledge, dashboards, and saved searches with out-of-the-box email alerts (we’re still sorry, Paul S.).

Well, it took a while for us to follow up that triumphant release, but wait no longer: the new app is finally here!  And oh, what’s better, the app is FREE!!!  Read on for the technical details of the app.



One of the primary goals of the Splunk App for Unix 5.0 is to introduce new visualizations.  As much as we all love pie charts and line charts, we all hate pie charts and line charts.  In the home view, you can see two radial graphs, which are designed to:

  • Allow users to set color-based thresholds
  • Maximize screen real estate for outliers
  • Allow a quick, at-a-glance view into several metrics

One of the coolest little things about the radial gauge are the “tracers”, the dotted line that appears when a particular reading decreases in value.  We felt it was pretty obvious when a value was suddenly elevated, but less so when a value suddenly went down.  The tracers allow the busy analyst, whose time is usually split among several screens and indicators, to have a better chance to notice changes on those huge monitors on the NOC/SOC wall.

Speaking of those ubiquitous monitors, clicking on the “expand” link on the home dashboard takes you to a special full screen version of the home dashboard that is designed for their resolution and contrast.


One of the things that I found frustrating about the last version of the Splunk App for Unix was that if I wanted to view two different metrics (say, CPU and Memory utilization), I had to load up two or three different dashboards in browser tabs and switch between them.  Another thing that wasn’t great for folks with large environments was that you could seldom see more than the top 10 hosts in any given metric.

The new metrics view allows several improvements from the old paradigm:

  • Choose which hosts you want to focus on
  • Build simple time series reports
  • Use shape and color to find trends and outliers
  • Visualize two sets of metrics side-by-side

If you want to get more information on a given host or host, the hosts view allows you to do just that.  Users of the Splunk App for Hadoop Ops or S.O.S might recognize this view, but we’ve embellished it a bit for this release:

  • Ability to switch between nodes and table views
  • Ability to filter by different host categories and groups (more on that below)
  • Ability to pin hosts and subsequently compare their snapshots

Splunk App Unix compare hosts

Actionable Indicators

One of the most important things for our users was more and better actionable indicators.   Put another way, visualizations and workflow is useful for solving problems, but what tells you that there is a problem in the first place?

The headlines feature on the home page allows you to link a headline, or short message, to a scheduled saved search that has been configured as an alert.  That way, you can get a truncated, context-specific indicator that helps you know when it is time to investigate.  Moreover, you may not need to see every alert that is fired on your system; in that case, just set up headlines for the alerts that are interesting enough to demand additional action.

OK, so you’ve seen the indicator fire – what’s so actionable about that?  Click on the indicator to be redirected to the alerts view, where you can see what was happening on the affected systems in the previous five minutes before the alert fired.  Of course, you can also view the results from the fired alert in the handy, familiar search view.

Asset Categorization

When we talked to our customers, one of the most consistent pieces of feedback we got was that asset management was a particularly hard problem for them in Splunk.  Specifically, they emphasized that they view their hosts through many different lenses.  For example, one team might be interested in a pivoting and filtering on hosts based on their data center location, while others might be interested in tier (dev, test, QA, prod) and still others by business unit (Finance, Accounting, HR, Sales).

To help accomplish this, we introduced the concept of categories and groups.  Categories represent the view of your hosts that you want to take (datacenter, business unit, etc) and groups allow you to compartmentalize your hosts into discreet buckets within the given category.  Hosts can only be a member of one group per category, but can be a member of many categories.  For example, host01 can be in the “east” group of the “datacenter” category and the “prod” group of the “tier” category, but can’t be in the “east” and “west” groups of the datacenter category.  That doesn’t even make sense!

What’s next

You tell us!  Most of the features in the app were dictated by you, the customer.  That’s just how we roll.  Thus, it is up to you to tell us where to go next.  Drop us a line on Splunk Answers to share your ideas.

One last note: thank you to Cary, Ian, Roy, Liu-Yuan, Barry, James, Malcolm, Jack, Stela, and the rest of the team that collaborated on this app with me.  It was fun, challenging, and most of all rewarding to work with all of you.  Here’s to next time!

Alex Raitz

Posted by