Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to use collectd on a remote host with Universal Forwarder?

eholz1
Builder
‎09-23-2022 03:24 PM

Hello,

My goals is to send rrd file data to a splunk indexer.

I have a remote host that currently forwards linux_secure data to the indexer - works fie.

I am NEVER able to create an input for any port tcp or otherwise from this dialog window:

eholz1_0-1663970876641.png

When I configure a TCP forward-server using lthe UF the forward-server never goes active - I only get "cooked" data on the indexer. the host and source type are configured

If I configure a port (tcp or udp) from here: this comes from Data/Data inputs/TCP

eholz1_1-1663971021604.png

This setting comes from Settings/Data/Forwarding and receiving

I get data to the indexer. 

I may be missing something.

I installed collectd on a remote host, configured it for the csv plug in, and the cpu plugin -  this data is being collected and save to the /var/lib/collectd directory on the remote host.

How can I get this data to splunk and graph it?

I can see data coming in - but cannot do anything with it. The splunk web site says that the HEC inputs must be used to get metrics into splunk. How do I configure the remote host to do this? I.E. send the data from collectd to splunk,

I am open to suggestions and clarification

thanks

eholz1

 

Labels (2)
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chaker
Contributor
‎09-25-2022 03:28 AM

 Hi @eholz1 ,

There are a few examples you can use to assist getting collectd metrics into Splunk via hec

The Splunk Addon for Linux docs describe how to send collectd via HEC
https://docs.splunk.com/Documentation/AddOns/released/Linux/Configure

The Analytics for Linux app also has working examples.
https://splunkbase.splunk.com/app/3777/#/details

They both use the write_http plugin in collectd.conf

Read the docs page to ensure you are setting the HEC up correctly.

https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/UsetheHTTPEventCollector

 

 

View solution in original post

Reply
Solved! Jump to solution
Solution

chaker
Contributor
‎09-25-2022 03:28 AM

 Hi @eholz1 ,

There are a few examples you can use to assist getting collectd metrics into Splunk via hec

The Splunk Addon for Linux docs describe how to send collectd via HEC
https://docs.splunk.com/Documentation/AddOns/released/Linux/Configure

The Analytics for Linux app also has working examples.
https://splunkbase.splunk.com/app/3777/#/details

They both use the write_http plugin in collectd.conf

Read the docs page to ensure you are setting the HEC up correctly.

https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/UsetheHTTPEventCollector

 

 

Reply
Solved! Jump to solution

eholz1
Builder
‎09-26-2022 07:28 AM

Forgot to ask,

I have collectd installed on the remote host, not the indexer. Should collectd be installed on the indexer and point to the remote host I want to monitor?

 

Thanks,

eholz1

 

0 Karma
Reply
Solved! Jump to solution

eholz1
Builder
‎09-26-2022 07:22 AM

Hello Chaker,

Thanks for responding to my question. I will review the links you placed in your respose.

This will help.

Thank you very much for taking the time to respond.

 

Eholz1

 

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...