All Apps and Add-ons

Why is the App for Infrastructure Entity Name displaying as the values that were set in SPLUNK_URL:HEC_PORT instead of the monitored server name?

rdvanto2
Engager

Version: App for Infrastructure 1.2.0
Splunk Enterprise 7.2

Comments: I had to manually create the em_metrics index. I did not see this as a step in the installation docs, but it didn't work until i did this. I'm wondering if the installation of the app didn't complete successfully?

Once it did start logging metrics, the Entity Name of the server being monitored was displaying wrong. The entity shows up as the name of the Http Event Collector (HEC) hostname and HEC port instead of the actual host name of the server being monitored. The host dimension also showed the HEC hostname and port instead of the host name of the server being monitored.

Other Splunk events coming from the server are displaying the correct host name. This only seems to be an issue for the App for Infrastructure data coming from the server.

Did i do something wrong when configuring the server? Is there a way to fix the Entity Name and Host dimension? I have tried rerunning the add data script but it did not fix anything.

1 Solution

dagarwal_splunk
Splunk Employee
Splunk Employee

Do you have "Splunk Add-on for Infrastructure" installed on your Splunk Enterprise. You will need that.

View solution in original post

dagarwal_splunk
Splunk Employee
Splunk Employee

Do you have "Splunk Add-on for Infrastructure" installed on your Splunk Enterprise. You will need that.

rdvanto2
Engager

Thank you. That was the problem.

0 Karma

yannK
Splunk Employee
Splunk Employee

also make sure that your HEC inputs has
index=em_metrics
and
sourcetype=em_metrics

0 Karma

yannK
Splunk Employee
Splunk Employee

And make sure that your HEC input for the Collectd inputs have :

index=em_metrics
and
sourcetype=em_metrics

for the transforms to kick in.

0 Karma

gcsefai
New Member

I have this issue also. I have both the App and Add-on installed on my Win 2016 server and yet the Linux server is showing in App for Infra with the Win2016 server name and HEC port number. The metrics do indicate it's a RHEL7 server, with the name of my Windows box.

Did you do anything after installing the Add-on? I've removed both App and Add-on, deleted the index, installed both the App and Add-on and I still get the name of the Windows server for my Linux box.

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee
  1. Make sure you are using "em_metrics" as both sourcetype and index.
  2. Check your "/etc/collectd.conf" file on your RHEL7 server. See what is "Hostname <>" field in this file.
0 Karma

gcsefai
New Member

Thanks, I have em_metrics as the index and have Metrics -> collectd_http in the HEC settings.

I also verified that Hostname is set to the RHEL7 name. The only mention of the HEC server is in the stanza which includes the HEC server, port, and token.

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

Change sourcetype from "collectd_http" to "em_metrics".

0 Karma

dagarwal_splunk
Splunk Employee
Splunk Employee

Check the (Settings -> Data Inputs -> HTTP Event Collector):

It should have HEC token like:
Name : "Any Name"
Token Value : < token used in collectd.conf setttings>
SourceType: "em_metrics"
Index: "em_metrics"

0 Karma

gcsefai
New Member

Yes, that's exactly what I have. I just did a "splunk clean eventdata -index em_metrics" and after a few seconds, I saw the entity with wrong name labeled Inactive and a new Entity with the correct server name as Active,

Thanks for your help with the sourcetype, that was the key.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...