Splunk Search

Can you help me figure out what I'm doing wrong with my Base Collectd Configuration for a lab?

daniel333
Builder

All,

I am not able to get collectD metrics to appear on my Splunk stand alone instance.

I am setting up CollectD in my lab as recommended by our support engineer to replace Splunk for Nix eventually in prod. COMPLETELY new to this. I stole this config from the Splunk configuring collectd guide:

http://docs.splunk.com/Documentation/Splunk/7.2.0/Metrics/GetMetricsInCollectd#Configure_collectd

I have one box with everything on it including HEC.

LoadPlugin write_http
<Plugin write_http>
    <Node "node1">
        URL "https://localhost:8088/services/collector/raw"
        Header "Authorization: Splunk a31e3e37-4324-4219-8685-ce647c5be74d"
        Format "JSON"
        VerifyPeer false
        VerifyHost false
        Metrics true
        StoreRates true
    </Node>
</Plugin>

LoadPlugin cpu
<Plugin cpu>
  ReportByCpu true
</Plugin>

LoadPlugin interface

LoadPlugin syslog

LoadPlugin load
<Plugin load>
    ReportRelative true
</Plugin>

<Plugin logfile>
    LogLevel info
    File "/var/log/collectd.log"
    Timestamp true
    PrintSeverity false
</Plugin>

Include "/etc/collectd.d"

I don't think it's my HEC configuration as I can use this bash script I found to post collectD metrics to my metrics index without issue.

curl -k https://localhost:8088/services/collector/raw?sourcetype=collectd_http   \
-H "Authorization: Splunk a31e3e37-4324-4219-8685-ce647c5be74d"                                      \
-d '[{"values":[164.9196798931339196],"dstypes":["derive"],"dsnames":["value"],"time":1541268208.894,"interval":10.000,"host":"collectd","plugin":"protocols","plugin_instance":"IpExt","type":"protocol_counter","type_instance":"InOctets"}]'

So I think I must be doing something wrong with my collectd.conf file. But everything looks good as far as I know. Anything jumping out as a problem here to anyone?

EDIT - I just noticed that when I restart collectd, I get this message:

[root@splunkes administrator]# systemctl status collectd
● collectd.service - Collectd statistics daemon
   Loaded: loaded (/usr/lib/systemd/system/collectd.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2018-11-03 22:47:20 UTC; 2s ago
     Docs: man:collectd(1)
           man:collectd.conf(5)
 Main PID: 14295 (collectd)
   CGroup: /system.slice/collectd.service
           └─14295 /usr/sbin/collectd

Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
[root@splunkes administrator]# date
Sat Nov  3 22:47:29 UTC 2018
[root@splunkes administrator]#

philip_w
Explorer

same here....
Anyone knows what's the problem?

0 Karma

swissgato
New Member

same issue...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...