@smitra_splunk We faced a number of constraints that did not allow use of JSON as a transmission format; the older collectd we used also limited the plug-ins we could use, which meant a few data streams would be missing from those expected by the Splunk Add-on for Linux. This second constraint is of course not a problem if you're doing your own analysis of the data streams. We were also unable to use collectd's write_graphite plug-in. We ended up using collectd's write_csv to "log" the data locally, combined with a Universal Forwarder that processed the logs and sent their events in simulated linux:collectd:graphite sourcetype.
The Universal Forwarder uses a network connection to send its data, very much like write_http does, but offers several advantages despite its light footprint: it can tag metadata; it buffers, compresses and secures the data transfers; it can consolidate data; it can handle index-time transformations; and it can even do load balancing (when its data are being consumed by several Splunk indexers).
Now, your problem seems to be that collectd is sending empty JSON fields, so my first thought would be to check the collectd configuration. The transmission mode (HEC vs. http vs. TCP vs. UDP) is extremely unlikely to be at fault here. Which collectd plug-ins are you using?
... View more