Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use collectd on a remote host with Universal Forwarder?

eholz1
Contributor
‎09-23-2022 03:24 PM

Hello,

My goals is to send rrd file data to a splunk indexer.

I have a remote host that currently forwards linux_secure data to the indexer - works fie.

I am NEVER able to create an input for any port tcp or otherwise from this dialog window:

eholz1_0-1663970876641.png

When I configure a TCP forward-server using lthe UF the forward-server never goes active - I only get "cooked" data on the indexer. the host and source type are configured

If I configure a port (tcp or udp) from here: this comes from Data/Data inputs/TCP

eholz1_1-1663971021604.png

This setting comes from Settings/Data/Forwarding and receiving

I get data to the indexer. 

I may be missing something.

I installed collectd on a remote host, configured it for the csv plug in, and the cpu plugin -  this data is being collected and save to the /var/lib/collectd directory on the remote host.

How can I get this data to splunk and graph it?

I can see data coming in - but cannot do anything with it. The splunk web site says that the HEC inputs must be used to get metrics into splunk. How do I configure the remote host to do this? I.E. send the data from collectd to splunk,

I am open to suggestions and clarification

thanks

eholz1

 

Labels (2)
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chaker
Contributor
‎09-25-2022 03:28 AM

 Hi @eholz1 ,

There are a few examples you can use to assist getting collectd metrics into Splunk via hec

The Splunk Addon for Linux docs describe how to send collectd via HEC
https://docs.splunk.com/Documentation/AddOns/released/Linux/Configure

The Analytics for Linux app also has working examples.
https://splunkbase.splunk.com/app/3777/#/details

They both use the write_http plugin in collectd.conf

Read the docs page to ensure you are setting the HEC up correctly.

https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/UsetheHTTPEventCollector

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

chaker
Contributor
‎09-25-2022 03:28 AM

 Hi @eholz1 ,

There are a few examples you can use to assist getting collectd metrics into Splunk via hec

The Splunk Addon for Linux docs describe how to send collectd via HEC
https://docs.splunk.com/Documentation/AddOns/released/Linux/Configure

The Analytics for Linux app also has working examples.
https://splunkbase.splunk.com/app/3777/#/details

They both use the write_http plugin in collectd.conf

Read the docs page to ensure you are setting the HEC up correctly.

https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/UsetheHTTPEventCollector

 

 

Reply
Solved! Jump to solution

eholz1
Contributor
‎09-26-2022 07:28 AM

Forgot to ask,

I have collectd installed on the remote host, not the indexer. Should collectd be installed on the indexer and point to the remote host I want to monitor?

 

Thanks,

eholz1

 

0 Karma
Reply
Solved! Jump to solution

eholz1
Contributor
‎09-26-2022 07:22 AM

Hello Chaker,

Thanks for responding to my question. I will review the links you placed in your respose.

This will help.

Thank you very much for taking the time to respond.

 

Eholz1

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...