We're able to partially get the official Splunk universal forwarder docker container to run the official *Nix add-on so an endpoint can collect & send its basic host metrics, but some of the add-on's host metrics collector scripts fail, such as `cpu.sh`:
```
[ansible@alpha bin]$ cat debug--cpu.sh--Wed_Jan__1_12-35-08_UTC_2020
Not found any of commands [sar mpstat] on this host, quitting
```
Most scripts run fine like `netstat`/`top`/`ps` as we do `docker run --pid=host`. However, it looks like the official container is stripped down, so `cpu.sh` has missing dependencies as above.
We were just going to `apt-get install sar`... except we see no apt-get/apt/apk/yum:
-- Is there an alternate universal forwarder container we can put on these endpoints? This feels like the usual "alpine vs slim" issue, and other enterprise projects do stuff like dual releases here, but I couldn't find any.
-- Is there some other way to install those packages while keeping the forwarder in a slim container?
↧