Splunk® App for Infrastructure (Legacy)

Administer Splunk App for Infrastructure

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® App for Infrastructure (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

How the easy install script works in Splunk App for Infrastructure

You can use the easy install script in the Splunk App for Infrastructure to set up data collection on your systems. The script installs data collection agents to collect metrics and log data according to the data sources you specify. When you configure the script to collect any metrics data, the script installs and configures collectd on the host for *nix hosts and a universal forwarder for Windows hosts. When you configure the script to collect any log data, the script installs and configures a universal forwarder on *nix and Windows hosts.

To use the script, you must log in to an account with administrator privileges. Do not log in as the root user. For more information about the easy install script requirements for each operating system, see these topics:

Use the script to configure data collection agents on *nix, Windows, and Mac OS X hosts:

To uninstall the data collection agents that the script installs and configures, see Stop data collection on Splunk App for Infrastructure.

*nix metrics collection

When you specify the Splunk App for Infrastructure to collect metrics from the host, the script completes these actions:

  1. Installs the libcurl package based on the OS that is using the package manager.
  2. Checks the collectd version. If a compatible collectd version has not already been installed, the script installs a compatible collectd version.
  3. Installs the data collection agent, unix-agent.tgz or osx-agent.tgz depending on your operating system. The data collection agent contains the plug-in and .conf configurations.
  4. Copies the write_splunk.so plug-in to collectd's plug-in directory.
  5. Configures the collectd.conf file.
  6. Starts collectd.

For information about collectd package sources and install locations, see collectd package sources, install commands, and locations.

example write_splunk plug-in

<Plugin write_splunk>
server "<splunk insight server>"
port "<HEC PORT>"
token "<HEC TOKEN>"
ssl true
verifyssl false
Dimension "key1:value1"
</Plugin>

Windows metrics collection

When you specify the Splunk App for Infrastructure to collect metrics from the host, the script completes these actions:

  1. Downloads a universal forwarder from Splunk Enterprise.
  2. Adds Perfmon objects to the inputs.conf file.
  3. Adds a forwarding target group to the outputs.conf file.
  4. Starts the universal forwarder.

Windows metrics you can collect with the easy install script

Depending on the source types you select when adding a host to the Splunk App for Infrastructure, the easy install script collects the following seven Perfmon objects for metrics data collection:

  • CPU Load
  • Physical Disk
  • Network Interface
  • Available Memory
  • System
  • Process
  • Free Disk Space

These are the the default values for each Perfmon object the easy install script uses.

[perfmon://CPU Load]
counters = % C1 Time;% C2 Time;% Idle Time;% Processor Time;% User Time;% Privileged Time;% Reserved Time;% Interrupt Time
instances = *
interval = 30
object = Processor
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host

[perfmon://Physical Disk]
counters = % Disk Read Time;% Disk Write Time
instances = *
interval = 30
object = PhysicalDisk
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host

[perfmon://Network Interface]
counters = Bytes Received/sec;Bytes Sent/sec;Packets Received/sec;Packets Sent/sec;Packets Received Errors;Packets Outbound Errors
instances = *
interval = 30
object = Network Interface
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host

[perfmon://Available Memory]
counters = Cache Bytes;% Committed Bytes In Use;Page Reads/sec;Pages Input/sec;Pages Output/sec;Committed Bytes;Available Bytes
interval = 30
object = Memory
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host

[perfmon://System]
counters = Processor Queue Length;Threads
instances = *
interval = 30
object = System
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host

[perfmon://Process]
counters = % Processor Time;% User Time;% Privileged Time
instances = *
interval = 30
object = Process
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host

[perfmon://Free Disk Space]
counters = Free Megabytes;% Free Space
instances = *
interval = 30
object = LogicalDisk
index = em_metrics
_meta =  os::"Microsoft Windows Server 2012 R2 Standard" os_version::6.3.9600 entity_type::Windows_Host

Log collection

When you configure the Splunk App for Infrastructure to collect log data from the host, the script completes these actions:

  1. Downloads a Universal Forwarder from Splunk. For *nix systems, the unix-agent.tgz or osx-agent.tgz agent is responsible for downloading the universal forwarder, depending on your operating system.
  2. Configures the inputs.conf and outputs.conf files for the Universal Forwarder.
    1. Adds MONITOR: stanzas to the inputs.conf file to specify the logs that the app ingests.
    2. For a Windows host, adds WinEventLog: stanzas to the inputs.conf file.
    3. Adds a forwarding target group to the outputs.conf file. A forwarding target group identifies a receiver or set of receivers that the host sends data to.
  3. Starts the Universal Forwarder.

The script does not create an administrator user when it installs and configures the universal forwarder. If required, you have to create the admin user. For information about configuring admin credentials, see user-seed.conf in the Splunk Enterprise Admin Manual.

Example MONITOR: stanza

 [monitor://$SPLUNK_HOME\var\log\splunk\*.log*]
sourcetype = uf
disabled = false

Example WinEventLog stanzas

[WinEventLog://Application]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

[WinEventLog://Security]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

[WinEventLog://System]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest

 [WinEventLog://Setup]
checkpointInterval = 10
current_only = 0
disabled = 0
start_from = oldest
Last modified on 12 November, 2019
PREVIOUS
How to add data to Splunk App for Infrastructure
  NEXT
Configure the HTTP Event Collector to receive metrics data for SAI

This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 1.3.0, 1.3.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters