All Apps and Add-ons

Splunk App for Infrastructure 2.0 not showing entities

Loves-to-Learn Lots

We are running Splunk Enterprise with Splunk App for Infrastructure 2.0. We have deployed collectd on a RedHat server according to docs. With the metrics workspace we can see data but within the Splunk App for Infrastructure Investigate the entity is not visible. We have also a search head ( running with ITSI and in their is the Splunk App for Infrastructure version 1.4.1 which is showing the added entity. So to me it looks like it has to do with the Splunk App for Infrastructure version. But how can I fix this on the 2.0 version so that entities are being visible. Also i looked at an lookup called em_entities but that stays empty on the 2.0 version app.
I cannot find out what is filling that lookup or the entities in the investigate dashboard.
Also other answer posts have not revealed any solution.

0 Karma

Loves-to-Learn Lots

I have done some research and somehow the installation of the SAI 2.0 was not completely correct. I had done the first installation by using winunzip and then copy the uncompressed SAI 2.0 to a folder for our deployer repository. After this I was in the assumption that everything was working correctly which was not true. Now i uncompressed the SAI 2.0 using tar directly within our deployer repository and now it just works as it should. So the investigate tab is showing results.

0 Karma

Loves-to-Learn Lots

I run this query on the SHC SE with SAI 2.0 and no results at all (last 7 days), so it looks like some processes are not running at all.

About environment: We do run one IDXC SE with the SAI_TA 2.0 installed. We have one SHC SE running the SAI 2.0 app, the one that this post is about. We have one SH SE running ITSI 4.3.1 and as such SAI 1.4.1 and I do see now also the SAI-TA 1.4.1 installed. But regarding to docs the SAI-TA doesn't need to be on the SH's but only on indexers or heavy forwarders. Then we have a couple of HF SE with the SAI-TA 2.0 installed and configured to use HEC with the following configuration:

connection_host = ip
disabled = 0
index = em_metrics
indexes = em_metrics
queueSize = 1MB
description = Metrics data for the Splunk App for Infrastructure
token = <here is a valid token>
sourcetype = em_metrics

The collectd agent is manually installed and configured according to the documentation.
On the ITSI SH this Linux server is visible within the investigate. But on the SHC (running SAI 2.0) not.
collectd agent visible within ITSI

0 Karma

Splunk Employee
Splunk Employee

Hi, sorry to hear that entity discovery is not working properly. Could you please execute the following search in the search app (on the instance with SAI 2.0 deployed) and let us know if you see any error that shows up repetitively every minute?

index=_internal sourcetype=splunk_app_infrastructure source="*sai_entity_manager.log*"

Also can you please let us know if you have ITSI installed the same instance and what version? plus if that's a distributed environment or not? thanks

0 Karma
Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...