Version: App for Infrastructure 1.2.0
Splunk Enterprise 7.2
Comments: I had to manually create the em_metrics index. I did not see this as a step in the installation docs, but it didn't work until i did this. I'm wondering if the installation of the app didn't complete successfully?
Once it did start logging metrics, the Entity Name of the server being monitored was displaying wrong. The entity shows up as the name of the Http Event Collector (HEC) hostname and HEC port instead of the actual host name of the server being monitored. The host dimension also showed the HEC hostname and port instead of the host name of the server being monitored.
Other Splunk events coming from the server are displaying the correct host name. This only seems to be an issue for the App for Infrastructure data coming from the server.
Did i do something wrong when configuring the server? Is there a way to fix the Entity Name and Host dimension? I have tried rerunning the add data script but it did not fix anything.
Do you have "Splunk Add-on for Infrastructure" installed on your Splunk Enterprise. You will need that.
Do you have "Splunk Add-on for Infrastructure" installed on your Splunk Enterprise. You will need that.
Thank you. That was the problem.
also make sure that your HEC inputs has
index=em_metrics
and
sourcetype=em_metrics
And make sure that your HEC input for the Collectd inputs have :
index=em_metrics
and
sourcetype=em_metrics
for the transforms to kick in.
I have this issue also. I have both the App and Add-on installed on my Win 2016 server and yet the Linux server is showing in App for Infra with the Win2016 server name and HEC port number. The metrics do indicate it's a RHEL7 server, with the name of my Windows box.
Did you do anything after installing the Add-on? I've removed both App and Add-on, deleted the index, installed both the App and Add-on and I still get the name of the Windows server for my Linux box.
Thanks, I have em_metrics as the index and have Metrics -> collectd_http in the HEC settings.
I also verified that Hostname is set to the RHEL7 name. The only mention of the HEC server is in the stanza which includes the HEC server, port, and token.
Change sourcetype from "collectd_http" to "em_metrics".
Check the (Settings -> Data Inputs -> HTTP Event Collector):
It should have HEC token like:
Name : "Any Name"
Token Value : < token used in collectd.conf setttings>
SourceType: "em_metrics"
Index: "em_metrics"
Yes, that's exactly what I have. I just did a "splunk clean eventdata -index em_metrics" and after a few seconds, I saw the entity with wrong name labeled Inactive and a new Entity with the correct server name as Active,
Thanks for your help with the sourcetype, that was the key.