All,

I am not able to get collectD metrics to appear on my Splunk stand alone instance.

I am setting up CollectD in my lab as recommended by our support engineer to replace Splunk for Nix eventually in prod. COMPLETELY new to this. I stole this config from the Splunk configuring collectd guide:

http://docs.splunk.com/Documentation/Splunk/7.2.0/Metrics/GetMetricsInCollectd#Configure_collectd

I have one box with everything on it including HEC.

LoadPlugin write_http
<Plugin write_http>
    <Node "node1">
        URL "https://localhost:8088/services/collector/raw"
        Header "Authorization: Splunk a31e3e37-4324-4219-8685-ce647c5be74d"
        Format "JSON"
        VerifyPeer false
        VerifyHost false
        Metrics true
        StoreRates true
    </Node>
</Plugin>

LoadPlugin cpu
<Plugin cpu>
  ReportByCpu true
</Plugin>

LoadPlugin interface

LoadPlugin syslog

LoadPlugin load
<Plugin load>
    ReportRelative true
</Plugin>

<Plugin logfile>
    LogLevel info
    File "/var/log/collectd.log"
    Timestamp true
    PrintSeverity false
</Plugin>

Include "/etc/collectd.d"

I don't think it's my HEC configuration as I can use this bash script I found to post collectD metrics to my metrics index without issue.

curl -k https://localhost:8088/services/collector/raw?sourcetype=collectd_http   \
-H "Authorization: Splunk a31e3e37-4324-4219-8685-ce647c5be74d"                                      \
-d '[{"values":[164.9196798931339196],"dstypes":["derive"],"dsnames":["value"],"time":1541268208.894,"interval":10.000,"host":"collectd","plugin":"protocols","plugin_instance":"IpExt","type":"protocol_counter","type_instance":"InOctets"}]'

So I think I must be doing something wrong with my collectd.conf file. But everything looks good as far as I know. Anything jumping out as a problem here to anyone?

EDIT - I just noticed that when I restart collectd, I get this message:

[root@splunkes administrator]# systemctl status collectd
● collectd.service - Collectd statistics daemon
   Loaded: loaded (/usr/lib/systemd/system/collectd.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2018-11-03 22:47:20 UTC; 2s ago
     Docs: man:collectd(1)
           man:collectd.conf(5)
 Main PID: 14295 (collectd)
   CGroup: /system.slice/collectd.service
           └─14295 /usr/sbin/collectd

Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
[root@splunkes administrator]# date
Sat Nov  3 22:47:29 UTC 2018
[root@splunkes administrator]#