All Apps and Add-ons

SAI, why no metrics from Linux with collectd write_splunk plugin? But it seems HEC is receiving data.

yhu_splunk
Splunk Employee
Splunk Employee

I have Splunk App for Infrastructure installed and configured, it works for Windows agent, but I cannot make it for Linux server.

Collectd seems runs well with write_splunk plugin, I run search
index="_introspection" token| spath "data.token_name" | search "data.token_name"="collectd token"
looks the HEC is receiving data like the screenshot shows.
alt text
But there is no data of the metrics index assigned to the HEC token, and search for
| mstats count WHERE index=* AND metric_name=* by host, metric_name
only Windows host shows.
alt text

Labels (1)
Tags (1)
0 Karma
1 Solution

yhu_splunk
Splunk Employee
Splunk Employee

Solved, previously I select collectd_htttp as sourcetype, and it seems the em_metrics sourcetype is mandatory for collectd write_splunk plugin, change to em_metrics then solved.
em_metrics index is also mandatory for SAI, use other index then you have to adjust macros of SAI.

So, use em_metrics for both sourcetype and index.

View solution in original post

jasonstone
Explorer

OMG! I spent at least a day (off and on) trying to figure this out.
UGH.
Thank you so much!!!!!!

0 Karma

yhu_splunk
Splunk Employee
Splunk Employee

Solved, previously I select collectd_htttp as sourcetype, and it seems the em_metrics sourcetype is mandatory for collectd write_splunk plugin, change to em_metrics then solved.
em_metrics index is also mandatory for SAI, use other index then you have to adjust macros of SAI.

So, use em_metrics for both sourcetype and index.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...