Splunk® Supported Add-ons

Splunk Add-on for Linux

Source types for the Splunk Add-on for Linux

The Splunk Add-on for Linux provides the index-time and search-time knowledge for CollectD and AuditD.

  • linux:collectd:http:json is for performance metrics sent to the Splunk platform via HEC in JSON format
  • linux:collectd:graphite is for performance metrics sent to the Splunk platform via TCP in Graphite format
  • linux:collectd:http:metrics is for performance metrics sent to the Splunk platform via HEC.

CollectD data works with ITSI data models.

Source type Event type ITSI data models
linux:collectd:http:json

or

linux:collectd:graphite

linux_collectd_cpu ITSI OS Model Performance.CPU
linux_collectd_memory ITSI OS Model Performance.Memory
linux_collectd_swap ITSI OS Model Performance
linux_collectd_df ITSI OS Model Performance.Storage
linux_collectd_interface ITSI OS Model Performance.Network
linux_collectd_disk ITSI OS Model Performance.Storage
linux_collectd_load ITSI OS Model Performance
linux_collectd_processes ITSI OS Model Performance.CPU
linux_collectd_protocols ITSI OS Model Performance
linux_collectd_irq ITSI OS Model Performance
linux_collectd_tcpconns ITSI OS Model Performance.Network
linux_collectd_thermal ITSI OS Model Performance
linux_collectd_uptime ITSI OS Model Performance.OS

The two source types linux:collectd:http:json and linux:collectd:graphite collect the same data from CollectD. However, the collection method and the data format are different for these two source types.

Splunk recommends sending data in JSON format via HEC. The data collected in JSON format contains more information than Graphite provides. Using JSON via HEC improves knowledge mapping to the Splunk IT Service Intelligence (ITSI) data model for Linux KPIs. For example, a network interface measurement in Graphite format is presented as two strings:

  • localhost-234.interface-eno16777984.if_octets.tx 573.300503  1481692948
  • localhost-234.interface-eno16777984.if_octets.rx 783.017354 1481692948

The same measurement in JSON format is presented as a single event: 

{"values":[783.017354110699,573.300503324745],"dstypes":["derive","derive"],"dsnames":["rx","tx"],"time":1481692948.296,"interval":60.000,"host":"localhost-234","plugin":"interface","plugin_instance":"eno16777984","type":"if_octets","type_instance":"","meta":{"network:received":true}}


AuditD data works with CIM data models.

Source type Event type CIM data models
linux:audit linux_audit_account_change Change
linux_audit_authentication Authentication
linux_audit_endpoint Endpoint
linux_audit_endpoint_services Endpoint
Last modified on 25 July, 2022
Splunk Add-on for Linux   When to use the Splunk Add-on for Linux

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters