Splunk® IT Essentials Work

Entity Integrations Manual

This documentation doesn't apply to the most recent version of Splunk IT Essentials Work.
This documentation does not apply to the most recent version of Splunk® IT Essentials Work. For documentation on the most recent version, go to the latest release.

Send collectd data to a local universal forwarder in ITE Work

If you already have firewall rules and ports set up for a local universal forwarder, you can use those same settings to send metrics data from collectd through the local universal forwarder to (ITE Work). This makes it easier to monitor an entity in a closed network or large environment without creating new rules and ports. Configure collectd to send metrics data to a universal forwarder on a *nix host. You need to have already deployed collectd and a universal forwarder on a *nix host to follow these steps.

To send metrics data from collectd to the universal forwarder, configure a UDP port for the local universal forwarder and modify the collectd write_splunk plug-in in collectd.conf.

Prerequisites

Requirement Description
collectd

You set up collectd on the host. For more information, see one of these topics:

universal forwarder

You set up a universal forwarder on the host to send data to ITE Work. For more information, see one of these topics:

Steps

Follow these steps to start sending collectd data to a local universal forwarder.

1. Add a UDP network input

Configure a UDP input in $SPLUNKFORWARDERHOME/etc/system/local/inputs.conf so the universal forwarder can receive data from collectd. Add this stanza with the following attributes:

[udp://<UDP_PORT>]
index = itsi_im_metrics
sourcetype = itis_im_metrics_udp
no_appending_timestamp = true

If you're using a different index for metrics, replace itsi_im_metrics with the custom index.

For more information about configuring a UDP input, see Add a network input using inputs.conf in the Splunk Enterprise Getting Data In manual.

2. Modify the write_splunk plug-in

In collectd.conf on the Linux or Unix host, modify the write_splunk plug-in according to the following example. To find your collectd.conf file, see collectd package sources, install commands, and locations.

<Plugin write_splunk>
server "<UF hostname, IP, or localhost>"
buffersize 9000
useudp true
udpport <UDP_PORT>
</Plugin>

buffersize is the size (in bytes) of the Send Buffer that the write_splunk plug-in uses. You can increase the buffersize if your operating system supports it.

3. Restart the universal forwarder and collectd

Restart the universal forwarder:

./splunk restart

Restart collectd:

sudo service collectd restart
Last modified on 28 February, 2024
Collect data in ITE Work with SELinux   Manually collect metrics from a *nix host in ITE Work

This documentation applies to the following versions of Splunk® IT Essentials Work: 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 4.9.6, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only, 4.10.3 Cloud only, 4.10.4 Cloud only, 4.11.0, 4.11.1, 4.11.2, 4.11.3, 4.11.4, 4.11.6, 4.12.0 Cloud only, 4.12.2 Cloud only, 4.13.0, 4.13.1, 4.13.2, 4.13.3, 4.14.0 Cloud only, 4.14.1 Cloud only, 4.14.2 Cloud only, 4.15.0, 4.15.1, 4.15.2, 4.15.3, 4.16.0 Cloud only, 4.17.0, 4.17.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters