All Apps and Add-ons
Highlighted

Splunk App for Infrastructure not displaying entities

Path Finder

I have installed splunk app for Infrastructure on my server.
followed instructions, run a script on second instance (UF was installed and data is received by the server).
how ever I waited for more than 5 minutes but cannot see entity appearing.
what can be the possible issue?

Highlighted

Re: Splunk App for Infrastructure not displaying entities

Explorer

Confirm that you are talking about the "Splunk App for Infrastructure" and not the "Splunk App for WIndows Infrastructure".

If you are talking about the Splunk App for Infrastructure, make sure you install the Add-on as well. You need it too.

0 Karma
Highlighted

Re: Splunk App for Infrastructure not displaying entities

Engager

i'm running into the same issue as well. I followed the documentation at:
http://docs.splunk.com/Documentation/InfraApp/1.2.1/Install/DistributedDeployment

and i'm not seeing any entities populate. I've been trying on linux and windows machines.

0 Karma
Highlighted

Re: Splunk App for Infrastructure not displaying entities

Path Finder

I am also facing the same issue, can anyone tell what is the problem?

0 Karma
Highlighted

Re: Splunk App for Infrastructure not displaying entities

Path Finder

Hello,

  • do you install splunk add-on for infrastructure on your indexer(s) ?
  • do you receive data in your index em_metrics ?
  • do you setup _meta in your inputs.conf ?

Regards,
Francois

0 Karma
Highlighted

Re: Splunk App for Infrastructure not displaying entities

Explorer

Setting up SAI is a multistep process. Start here https://docs.splunk.com/Documentation/InfraApp/2.1.0/Install/About
alt text
Read the installation instructions https://docs.splunk.com/Documentation/InfraApp/2.1.0/Install/DistributedDeployment
1. Install the Splunk App for Infrastructure on search heads
2. Install the Splunk Add-on for Infrastructure on indexers. This sets everything up for inputs there.When you install the add-on, it creates the em_metrics and infra_alerts indexes, and handles props and transforms for all data types.
3. Configure inputs.conf for the indexing tier. Do not forget HEC - When you configure an HEC token, set the source type to em_metrics, and specify the metrics index you want to use. By default, the metrics index is em_metrics. For more information about configuring an HEC token, see Create an Event Collector token in the Getting Data In guide.
4. Push the indexer cluster master node's configuration bundle to the indexer cluster (if you use indexer clusters)
5. Configure data collection using the App for Infrastructures "add data" , select os and customize. It will generate a custom installation script to deploy the config (along with the UF if there is not one)
6. Deploy the custom script file created in step 5 to your endpoints like you might do other software. I used PowerShell to deploy to a list of windows system and bash for Linux. You can easily deploy the configuration files without using the "add data" wizard. It will not redeploy the UF if there is one installed.

Problems/Solutions
I could not get the App to work on the search head without adding the Splunk Add-on for Infrastructure to the search head. I think I had one system showing up until I added the TA on the search head.
Had one Windows system that would not report into the dashboard. It ended up being a time-sync issue. The system clock on the Windows Server was not setup for NTP.

0 Karma