Splunk® App for Infrastructure (Legacy)

Administer Splunk App for Infrastructure

This documentation does not apply to the most recent version of Splunk® App for Infrastructure (Legacy). For documentation on the most recent version, go to the latest release.

Manually configure metrics collection for *nix on Splunk App for Infrastructure

Admin privileges are required to configure metrics collection.

Install the collectd agent to collect system metrics on a *nix host instead of using the script when:

  • You are installing the universal forwarder on a closed network
  • You already have a universal forwarder on the host from which you want to collect data for the app
  • You do not have trusted URLs from which you can download the universal forwarder package

For more information about collectd, see About using collectd.

If you manually configure metrics collection, you also need to manually configure log collection. For more information, see Manually configure log collection for *nix on Splunk App for Infrastructure.

Steps

Install and run the collectd agent as a non-root user.

  1. Launch a shell or command prompt.
  2. Install all dependencies.
    • For Redhat/Centos: yum install autoconf libtool bison byacc flex libcurl-devel wget
    • For Debian/Ubuntu: apt-get install autoconf libtool bison byacc flex libcurl4-openssl-dev wget pkg-config
  3. Install collectd. 
        cd ~
    git clone https://github.com/collectd/collectd.git
    cd collectd
    ./build.sh
    ./configure
    make
    make install
  4. Copy the write_splunk plug-in. 
        wget https://<Splunk App Instance>:8000/en-US/static/app/splunk_app_infrastructure/unix_agent/unix-agent.tgz
    tar xvfz unix-agent.tgz
    cp unix-agent/write_splunk.so /opt/collectd/lib/collectd/
  5. Configure the collectd plug-in. 
         cd /opt/collectd/etc/
     vi collectd.conf

    #
# Config file for collectd(1).
# Please read collectd.conf(5) for a list of options.
# http://collectd.org/
#

##############################################################################
# Global                                                                     
#
#----------------------------------------------------------------------------#
# Global settings for the daemon.                                            
#
##############################################################################

Hostname    "collectd.server.sample"
#FQDNLookup   true
#BaseDir     "/var/lib/collectd"
#PIDFile     "/var/run/collectd.pid"
#PluginDir   "/usr/lib64/collectd"
#TypesDB     "/usr/share/collectd/types.db"

#----------------------------------------------------------------------------#
# When enabled, plugins are loaded automatically with the default options    #
# when an appropriate <Plugin ...> block is encountered.                     
#
# Disabled by default.                                                       
#
#----------------------------------------------------------------------------#
#AutoLoadPlugin false

#----------------------------------------------------------------------------#
# When enabled, internal statistics are collected, using "collectd" as the   #
# plugin name.                                                               
#
# Disabled by default.                                                      
#
#----------------------------------------------------------------------------#
#CollectInternalStats false

#----------------------------------------------------------------------------#
# Interval at which to query values. This may be overwritten on a per-plugin #
# base by using the 'Interval' option of the LoadPlugin block:               
#
#   <LoadPlugin foo>                                                        
#
#       Interval 60                                                          
#
#   </LoadPlugin>                                                            
#
#----------------------------------------------------------------------------#
Interval     60

#MaxReadInterval 86400
#Timeout         2
#ReadThreads     5
#WriteThreads    5

# Limit the size of the write queue. Default is no limit. Setting up a limit is
# recommended for servers handling a high volume of traffic.
#WriteQueueLimitHigh 1000000
#WriteQueueLimitLow   800000

##############################################################################
# Logging                                                                    
#
#----------------------------------------------------------------------------#
# Plugins which provide logging functions should be loaded first, so log     #
# messages generated when loading or configuring other plugins can be        #
# accessed.                                                                 
#
##############################################################################

LoadPlugin syslog
LoadPlugin logfile
<LoadPlugin "write_splunk">
        FlushInterval 10
</LoadPlugin>

##############################################################################
# LoadPlugin section                                                        
#
#----------------------------------------------------------------------------#
# Lines beginning with a single `#' belong to plugins which have been built  #
# but are disabled by default.                                               
#
#                                                                            
#
# Lines beginning with `##' belong to plugins which have not been built due  #
# to missing dependencies or because they have been deactivated explicitly.  #
##############################################################################

#LoadPlugin csv
LoadPlugin cpu
LoadPlugin memory
LoadPlugin df
LoadPlugin load
LoadPlugin disk
LoadPlugin interface

##############################################################################
# Plugin configuration                                                       
#
#----------------------------------------------------------------------------#
# In this section configuration stubs for each plugin are provided. A desc-  #
# ription of those options is available in the collectd.conf(5) manual page. #
##############################################################################

<Plugin logfile>
    LogLevel info
    File "/etc/collectd/collectd.log"
    Timestamp true
    PrintSeverity true
</Plugin>

<Plugin syslog>
    LogLevel info
</Plugin>

<Plugin cpu>
    ReportByCpu false
    ReportByState true
    ValuesPercentage true
</Plugin>

<Plugin memory>
    ValuesAbsolute false
    ValuesPercentage true
</Plugin>

<Plugin df>
    FSType "ext2"
    FSType "ext3"
    FSType "ext4"
    FSType "XFS"
    FSType "rootfs"
    FSType "overlay"
    FSType "hfs"
    FSType "apfs"
    FSType "zfs"
    FSType "ufs"
    ReportByDevice true
    ValuesAbsolute false
    ValuesPercentage true
    IgnoreSelected false
</Plugin>

<Plugin load>
    ReportRelative true
</Plugin>

<Plugin disk>
    Disk ""
    IgnoreSelected true
    UdevNameAttr "DEVNAME"
</Plugin>

<Plugin interface>
    IgnoreSelected true
</Plugin>

<Plugin write_splunk>
           server "<splunk app server>"
           port "8088"
           token "<HEC TOKEN>"
           ssl true
           verifyssl false
           key1:value1
</Plugin>

#Update Hostname, <HEC SERVER> & <splunk app server> in collectd.conf file above. Also, you can add dimensions as <Dimension "key:value">  to write_splunk plugin (optional)"
  6. Run collectd. 
        /opt/collectd/sbin/collectd
Last modified on 20 February, 2019
Manually configure log collection for *nix on Splunk App for Infrastructure   Update SELinux to allow for data collection in Splunk App for Infrastructure

This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 1.2.0, 1.2.1, 1.2.2, 1.2.3

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters