Getting Data In

Sending splunkmetrics via HEC from telegraf, Splunk shows bytes received but no bytes indexed.

thomasyung
Loves-to-Learn

From splunks logs (and _introspection) I can see the data coming in, but not being indexed. I have indexes created and working with other data sources, but I can't seem to see any events from this telegraf source.

Please see the relevant part of my telegraf config, using the [[outputs.http]] plugin.

 

[global_tags]
  # dc = "us-east-1" # will tag all metrics with dc=us-east-1
  # rack = "1a"
  ## Environment variables can be used as tags, and throughout the config file
  #user = "telegraf"
  index = "main"

[agent]
  interval = "30s"
  round_interval = true
  metric_batch_size = 1000
  metric_buffer_limit = 10000
  collection_jitter = "0s"
  flush_interval = "10s"
  flush_jitter = "0s"
  precision = ""
  debug = false
  quiet = false
  logtarget = "file"
  logfile = "/var/log/telegraf/telegraf.log"
  logfile_rotation_interval = "0d"
  logfile_rotation_max_size = "1MB"
  logfile_rotation_max_archives = 5
  hostname = ""
  omit_hostname = false


[[outputs.http]]
   ## URL is the address to send metrics to
   url = "http://my-splunk-instance:8088/services/collector"


   ## HTTP method, one of: "POST" or "PUT"
   method = "POST"
  
   # DEV ONLY
   insecure_skip_verify = false

   data_format = "splunkmetric"
   splunkmetric_hec_routing = true

   ## Additional HTTP headers
   [outputs.http.headers]
      Content-Type = "application/json"
      Authorization = "Splunk my-splunk-token"
      X-Splunk-Request-Channel = "my-splunk-token"

 

 
Do I need to create a specific index and list this in the hec token config? Is there a source type I'm somehow discarding?

Labels (1)
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!