topic Re: SAI, why no metrics from Linux with collectd write_splunk plugin? But it seems HEC is receiving data. in All Apps and Add-ons

SAI, why no metrics from Linux with collectd write_splunk plugin? But it seems HEC is receiving data.

yhu_splunk — Wed, 30 Sep 2020 04:27:05 GMT

I have Splunk App for Infrastructure installed and configured, it works for Windows agent, but I cannot make it for Linux server.

Collectd seems runs well with write_splunk plugin, I run search
index="_introspection" token| spath "data.token_name" | search "data.token_name"="collectd token"
looks the HEC is receiving data like the screenshot shows.

But there is no data of the metrics index assigned to the HEC token, and search for
| mstats count WHERE index=* AND metric_name=* by host, metric_name
only Windows host shows.

Re: SAI, why no metrics from Linux with collectd write_splunk plugin? But it seems HEC is receiving data.

yhu_splunk — Wed, 30 Sep 2020 04:27:06 GMT

Solved, previously I select collectd_htttp as sourcetype, and it seems the em_metrics sourcetype is mandatory for collectd write_splunk plugin, change to em_metrics then solved.
em_metrics index is also mandatory for SAI, use other index then you have to adjust macros of SAI.

So, use em_metrics for both sourcetype and index.

Re: SAI, why no metrics from Linux with collectd write_splunk plugin? But it seems HEC is receiving data.

jasonstone — Fri, 01 May 2020 20:06:28 GMT

OMG! I spent at least a day (off and on) trying to figure this out.
UGH.
Thank you so much!!!!!!