I have Splunk App for Infrastructure installed and configured, it works for Windows agent, but I cannot make it for Linux server.
Collectd seems runs well with write_splunk plugin, I run search
index="_introspection" token| spath "data.token_name" | search "data.token_name"="collectd token"
looks the HEC is receiving data like the screenshot shows.
But there is no data of the metrics index assigned to the HEC token, and search for
| mstats count WHERE index=* AND metric_name=* by host, metric_name
only Windows host shows.
Solved, previously I select collectd_htttp as sourcetype, and it seems the em_metrics sourcetype is mandatory for collectd write_splunk plugin, change to em_metrics then solved.
em_metrics index is also mandatory for SAI, use other index then you have to adjust macros of SAI.
So, use em_metrics for both sourcetype and index.
OMG! I spent at least a day (off and on) trying to figure this out.
UGH.
Thank you so much!!!!!!
Solved, previously I select collectd_htttp as sourcetype, and it seems the em_metrics sourcetype is mandatory for collectd write_splunk plugin, change to em_metrics then solved.
em_metrics index is also mandatory for SAI, use other index then you have to adjust macros of SAI.
So, use em_metrics for both sourcetype and index.