We are running Splunk Enterprise 18.104.22.168 with Splunk App for Infrastructure 2.0. We have deployed collectd on a RedHat server according to docs. With the metrics workspace we can see data but within the Splunk App for Infrastructure Investigate the entity is not visible. We have also a search head (22.214.171.124) running with ITSI and in their is the Splunk App for Infrastructure version 1.4.1 which is showing the added entity. So to me it looks like it has to do with the Splunk App for Infrastructure version. But how can I fix this on the 2.0 version so that entities are being visible. Also i looked at an lookup called em_entities but that stays empty on the 2.0 version app.
I cannot find out what is filling that lookup or the entities in the investigate dashboard.
Also other answer posts have not revealed any solution.
I have done some research and somehow the installation of the SAI 2.0 was not completely correct. I had done the first installation by using winunzip and then copy the uncompressed SAI 2.0 to a folder for our deployer repository. After this I was in the assumption that everything was working correctly which was not true. Now i uncompressed the SAI 2.0 using tar directly within our deployer repository and now it just works as it should. So the investigate tab is showing results.
I run this query on the SHC SE 126.96.36.199 with SAI 2.0 and no results at all (last 7 days), so it looks like some processes are not running at all.
About environment: We do run one IDXC SE 188.8.131.52 with the SAI_TA 2.0 installed. We have one SHC SE 184.108.40.206 running the SAI 2.0 app, the one that this post is about. We have one SH SE 220.127.116.11 running ITSI 4.3.1 and as such SAI 1.4.1 and I do see now also the SAI-TA 1.4.1 installed. But regarding to docs the SAI-TA doesn't need to be on the SH's but only on indexers or heavy forwarders. Then we have a couple of HF SE 18.104.22.168 with the SAI-TA 2.0 installed and configured to use HEC with the following configuration:
connection_host = ip
disabled = 0
index = em_metrics
indexes = em_metrics
queueSize = 1MB
description = Metrics data for the Splunk App for Infrastructure
token = <here is a valid token>
sourcetype = em_metrics
The collectd agent is manually installed and configured according to the documentation.
On the ITSI SH this Linux server is visible within the investigate. But on the SHC (running SAI 2.0) not.
Hi, sorry to hear that entity discovery is not working properly. Could you please execute the following search in the search app (on the instance with SAI 2.0 deployed) and let us know if you see any error that shows up repetitively every minute?