Configure the HTTP Event Collector to receive metrics data for SAI
Use an HTTP Event Collector (HEC) to collect metrics from collectd and fluentd. Whether you run the easy install script or set up integrations manually, you have to configure HEC for metrics you collect with collectd and fluentd. To use HEC to collect metrics, configure an HEC token for the Splunk App for Infrastructure (SAI). Collectd and fluentd send metrics data to the index you specify in the HEC token configuration.
em_metrics is the default metrics index to send data you receive from HEC. If you want to use another metrics index, specify it when you create the HEC token instead. If you use another index, you have to update the sai_metrics_indexes macro, too. For more information about using another index, see Use custom metric indexes in Splunk App for Infrastructure.
These integrations use collectd and fluentd:
| Collection agent | Integration |
|---|---|
| collectd |
|
| fluentd |
|
Prerequisites
- You plan to collect data from an integration that requires HEC.
- You have an index or multiple indexes you want to send metrics data to.
- You enabled HEC. See Enable HTTP Event Collector in the Splunk Enterprise Getting Data In guide.
Steps
Follow these steps to configure an HEC token for SAI data collection. You can configure an HEC token in Splunk Web or with .conf files.
Configure an HEC token in Splunk Web
These steps show you how to set up an HEC token in Splunk Web to collect metrics data from collectd and fluentd in SAI. For more information about configuring an HEC token in Splunk Web, see Set up and use HTTP Event Collector in Splunk Web in the Splunk Enterprise Getting Data In guide.
- In Splunk Web, log in as an administrator.
- Go to Settings > Data inputs, select HTTP Event Collector, and click Global Settings. Ensure that All Tokens is set to Enabled. Also take note of the HTTP Port Number because you will need it later when you start adding data. When you're done, click Save.
- Click New Token.
- For Select Source, don't check Enable indexer acknowledgement.
- For Input Settings, these are the required settings for SAI. If you use another metrics index, specify it instead of
em_metrics. You can also include multiple allowed indexes.Setting Value Source type em_metricsApp context Splunk_TA_InfrastructureSelect Allowed Indexes em_metrics
Collectd and fluentd send metrics data to the default index only.Default Index em_metrics - Review the settings and then generate the HEC Token to send data over HEC to the Splunk Enterprise instance.
- Confirm the token was created and copy the Token Value. You need to provide this when you configure an integration that uses fluentd or collectd. You can also return to this page to view it later.
Configure an HEC token from inputs.conf
These steps show you how to set up an HEC token with .conf files to collect metrics data from collectd and fluentd in SAI. For more information about configuring an HEC token with .conf files, see Set up and use HTTP Event Collector with configuration files in the Splunk Enterprise Getting Data In guide.
- Go to the
$SPLUNK_HOME/etc/system/localdirectory. - Open the
inputs.conffile with a text editor. If it doesn't exist yet, create it. - Enter this HEC token stanza. These are the default values. If you use another metrics index, specify it instead of
em_metrics. You can also include multiple allowed indexes.[http://<token_name>] disabled = 0 index = em_metrics indexes = em_metrics sourcetype = em_metrics token = <string>
- Save your changes and close the file.
- Restart splunkd:
$SPLUNK_HOME/bin/splunk restart
| How the easy install script works in Splunk App for Infrastructure | Stop data collection on Splunk App for Infrastructure |
This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1 Cloud only, 2.2.0 Cloud only, 2.2.1, 2.2.3 Cloud only, 2.2.4, 2.2.5
Download manual
Feedback submitted, thanks!