All Apps and Add-ons

Splunk App for Infrastructure 2.0 not showing entities

lekanneer
Loves-to-Learn Lots

We are running Splunk Enterprise 7.3.1.1 with Splunk App for Infrastructure 2.0. We have deployed collectd on a RedHat server according to docs. With the metrics workspace we can see data but within the Splunk App for Infrastructure Investigate the entity is not visible. We have also a search head (7.3.1.1) running with ITSI and in their is the Splunk App for Infrastructure version 1.4.1 which is showing the added entity. So to me it looks like it has to do with the Splunk App for Infrastructure version. But how can I fix this on the 2.0 version so that entities are being visible. Also i looked at an lookup called em_entities but that stays empty on the 2.0 version app.
I cannot find out what is filling that lookup or the entities in the investigate dashboard.
Also other answer posts have not revealed any solution.

0 Karma

lekanneer
Loves-to-Learn Lots

I have done some research and somehow the installation of the SAI 2.0 was not completely correct. I had done the first installation by using winunzip and then copy the uncompressed SAI 2.0 to a folder for our deployer repository. After this I was in the assumption that everything was working correctly which was not true. Now i uncompressed the SAI 2.0 using tar directly within our deployer repository and now it just works as it should. So the investigate tab is showing results.

0 Karma

lekanneer
Loves-to-Learn Lots

I run this query on the SHC SE 7.3.1.1 with SAI 2.0 and no results at all (last 7 days), so it looks like some processes are not running at all.

About environment: We do run one IDXC SE 7.3.1.1 with the SAI_TA 2.0 installed. We have one SHC SE 7.3.1.1 running the SAI 2.0 app, the one that this post is about. We have one SH SE 7.3.1.1 running ITSI 4.3.1 and as such SAI 1.4.1 and I do see now also the SAI-TA 1.4.1 installed. But regarding to docs the SAI-TA doesn't need to be on the SH's but only on indexers or heavy forwarders. Then we have a couple of HF SE 7.3.1.1 with the SAI-TA 2.0 installed and configured to use HEC with the following configuration:

[http://em_metrics]
connection_host = ip
disabled = 0
index = em_metrics
indexes = em_metrics
queueSize = 1MB
description = Metrics data for the Splunk App for Infrastructure
token = <here is a valid token>
sourcetype = em_metrics

The collectd agent is manually installed and configured according to the documentation.
On the ITSI SH this Linux server is visible within the investigate. But on the SHC (running SAI 2.0) not.
collectd agent visible within ITSI

0 Karma

junyuw
Splunk Employee
Splunk Employee

Hi, sorry to hear that entity discovery is not working properly. Could you please execute the following search in the search app (on the instance with SAI 2.0 deployed) and let us know if you see any error that shows up repetitively every minute?

index=_internal sourcetype=splunk_app_infrastructure source="*sai_entity_manager.log*"

Also can you please let us know if you have ITSI installed the same instance and what version? plus if that's a distributed environment or not? thanks

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...