Collect *nix metrics and logs with the data collection script in ITSI
Use the data collection script to configure data collection agents on a *nix host you want to collect metrics and log data from. If you're running Docker containers without an orchestration tool like Kubernetes or OpenShift, you can also use the script to monitor Docker containers on Linux hosts as well.
The data collection script requires internet access. If you don't have internet access, configure data collection manually. For more information, see these topics:
To collect data from a system running SELinux, see Collect data in ITSI with SELinux.
If you haven't seen the requirements yet, see *nix integration requirements for ITSI.
If you're using Splunk Cloud Platform, you need to enter specific information according to your cloud stack when you configure an integration. For more information, see Send data to Splunk Cloud Platform with ITSI data collection agents.
To see which data the *nix integration sends to ITSI, see *nix data you can collect with ITSI.
|*nix host||See *nix integration operating system support.|
|Dependencies||See Required *nix dependencies.|
In Splunk Enterprise, you have to be a user with the
In Splunk Cloud Platform, you have to be a user with the
Alternatively, you can configure collectd to send data to the local universal forwarder instead of using the HEC. For more information, see Send collectd data to a local universal forwarder.
|Internet access||The data collection script downloads a universal forwarder package from https://www.splunk.com/en_us/download/universal-forwarder.html to collect logs, and downloads collectd to collect metrics. Where the data collection script downloads collectd from depends on your operating system. For more information about collectd install locations, see collectd package sources, install commands, and locations for ITSI.|
Steps to configure the data collection script for *nix hosts
Follow these steps to configure and use the data collection script to collect *nix metrics and logs in ITSI.
1. Specify configuration options
Configure data collection options for collecting metrics and logs from your host.
- From the ITSI main menu, go to Configuration > Data Integrations.
- Select the Unix and Linux chicklet.
- Select Collectd.
- Click Customize to select the metrics and log sources you want to collect data for. The
uptimemetrics are selected by default, and cannot be deselected.
- If you select cpu > Collect data for each CPU, metrics are stored for each CPU core, which enables you to split CPU usage by each core in the Analysis Workspace.
- If you select cpu > Collect sum over all CPUs, only aggregate metrics are stored for CPU usage.
dimension:value, such as
region:uswest. You can't delete dimensions the plug-in creates.
--allow-unauthenticatedflag and imports the repository's signing key, enabling you to verify the source location of the collectd package. This setting applies only when installing on the following operating systems:
- Debian 7, 8
- Ubuntu 14, 16
/var/run/. The Docker socket is the UNIX socket Docker listens to for Docker API calls.
2. Copy and paste the data collection script in a command line on the host
Deploy the script on your host to collect metrics and logs.
If you're running Ubuntu 18.04.1 LTS and haven't enabled the
universe repository, the script may fail. Run these commands to enable the
universe repository before running the script:
sudo apt-add-repository universe && sudo apt-get update
Follow these steps to deploy the script:
- Open a terminal window on the monitoring machine.
- Paste the script in the command line window.
- Run the script. When you run the script for the first time, you may receive a message stating that the universal forwarder was installed without creating an admin user. If this occurs, you have to manually create admin credentials. For information about configuring user credentials, see user-seed.conf in the Splunk Enterprise Admin Manual.
3. Verify your data connection
Verify your data connection to start monitoring your infrastructure. It can take up to about five minutes for your host to display in the user interface.
In the ITSI user interface, go to Configuration > Entities and wait for new hosts to start appearing. Each host has the entity type
Collect *nix data in ITSI with the Splunk Add-on for Unix and Linux
collectd package sources, install commands, and locations for ITSI
This documentation applies to the following versions of Splunk® IT Service Intelligence: 4.6.0 Cloud only, 4.6.1 Cloud only, 4.6.2 Cloud only, 4.7.0, 4.7.1, 4.7.2, 4.8.0 Cloud only, 4.8.1 Cloud only, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.10.0 Cloud only, 4.10.1 Cloud only, 4.10.2 Cloud only