Solved: SAI, why no metrics from Linux with collectd write...

yhu_splunk · ‎03-02-2020

I have Splunk App for Infrastructure installed and configured, it works for Windows agent, but I cannot make it for Linux server.

Collectd seems runs well with write_splunk plugin, I run search
index="_introspection" token| spath "data.token_name" | search "data.token_name"="collectd token"
looks the HEC is receiving data like the screenshot shows.

But there is no data of the metrics index assigned to the HEC token, and search for
| mstats count WHERE index=* AND metric_name=* by host, metric_name
only Windows host shows.

yhu_splunk · ‎03-03-2020

Solved, previously I select collectd_htttp as sourcetype, and it seems the em_metrics sourcetype is mandatory for collectd write_splunk plugin, change to em_metrics then solved.
em_metrics index is also mandatory for SAI, use other index then you have to adjust macros of SAI.

So, use em_metrics for both sourcetype and index.

View solution in original post

jasonstone · ‎05-01-2020

OMG! I spent at least a day (off and on) trying to figure this out.
UGH.
Thank you so much!!!!!!

yhu_splunk · ‎03-03-2020

Solved, previously I select collectd_htttp as sourcetype, and it seems the em_metrics sourcetype is mandatory for collectd write_splunk plugin, change to em_metrics then solved.
em_metrics index is also mandatory for SAI, use other index then you have to adjust macros of SAI.

So, use em_metrics for both sourcetype and index.

SAI, why no metrics from Linux with collectd write_splunk plugin? But it seems HEC is receiving data.

configuration

Splunk APM & RUM | Upcoming Planned Maintenance

Part 2: Diving Deeper With AIOps

User Groups | Upcoming Events!