Splunk Search

Can you help me figure out what I'm doing wrong with my Base Collectd Configuration for a lab?

daniel333
Builder

All,

I am not able to get collectD metrics to appear on my Splunk stand alone instance.

I am setting up CollectD in my lab as recommended by our support engineer to replace Splunk for Nix eventually in prod. COMPLETELY new to this. I stole this config from the Splunk configuring collectd guide:

http://docs.splunk.com/Documentation/Splunk/7.2.0/Metrics/GetMetricsInCollectd#Configure_collectd

I have one box with everything on it including HEC.

LoadPlugin write_http
<Plugin write_http>
    <Node "node1">
        URL "https://localhost:8088/services/collector/raw"
        Header "Authorization: Splunk a31e3e37-4324-4219-8685-ce647c5be74d"
        Format "JSON"
        VerifyPeer false
        VerifyHost false
        Metrics true
        StoreRates true
    </Node>
</Plugin>

LoadPlugin cpu
<Plugin cpu>
  ReportByCpu true
</Plugin>

LoadPlugin interface

LoadPlugin syslog

LoadPlugin load
<Plugin load>
    ReportRelative true
</Plugin>

<Plugin logfile>
    LogLevel info
    File "/var/log/collectd.log"
    Timestamp true
    PrintSeverity false
</Plugin>

Include "/etc/collectd.d"

I don't think it's my HEC configuration as I can use this bash script I found to post collectD metrics to my metrics index without issue.

curl -k https://localhost:8088/services/collector/raw?sourcetype=collectd_http   \
-H "Authorization: Splunk a31e3e37-4324-4219-8685-ce647c5be74d"                                      \
-d '[{"values":[164.9196798931339196],"dstypes":["derive"],"dsnames":["value"],"time":1541268208.894,"interval":10.000,"host":"collectd","plugin":"protocols","plugin_instance":"IpExt","type":"protocol_counter","type_instance":"InOctets"}]'

So I think I must be doing something wrong with my collectd.conf file. But everything looks good as far as I know. Anything jumping out as a problem here to anyone?

EDIT - I just noticed that when I restart collectd, I get this message:

[root@splunkes administrator]# systemctl status collectd
● collectd.service - Collectd statistics daemon
   Loaded: loaded (/usr/lib/systemd/system/collectd.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2018-11-03 22:47:20 UTC; 2s ago
     Docs: man:collectd(1)
           man:collectd.conf(5)
 Main PID: 14295 (collectd)
   CGroup: /system.slice/collectd.service
           └─14295 /usr/sbin/collectd

Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
Nov 03 22:47:21 splunkes collectd[14295]: Available write targets: [none]
[root@splunkes administrator]# date
Sat Nov  3 22:47:29 UTC 2018
[root@splunkes administrator]#

philip_w
Explorer

same here....
Anyone knows what's the problem?

0 Karma

swissgato
New Member

same issue...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...