Splunk® App for Infrastructure (Legacy)

Administer Splunk App for Infrastructure

This documentation does not apply to the most recent version of Splunk® App for Infrastructure (Legacy). For documentation on the most recent version, go to the latest release.

Manually configure metrics collection on a *nix host for Splunk App for Infrastructure

To configure data collection, you must log in to an account with permissions to use sudo for root access. Do not log in as the root user.

Manually install the collectd agent to collect system metrics on a *nix host instead of using the script when:

  • You are installing collectd on a closed network.
  • You already have collectd on the host from which you want to collect data.
  • You do not have trusted URLs from which you can download the required packages and dependencies.

For more information, see About using collectd.

You can also configure collectd to forward metrics data to a local universal forwarder. For more information, see Send collectd data to a universal forwarder.

If you manually configure metrics collection, you also need to manually configure log collection. For more information, see Manually configure log collection on a *nix host for Splunk App for Infrastructure.

Before configuring metrics collection manually, confirm your system has the required dependencies. For more information, see *nix data collection requirements.

1. Install collectd version 5.7.x or 5.8.x

If you have not already installed collectd on your host, install version 5.7.x or 5.8.x now.

If you have an earlier version of collectd, you must update to a compatible version.

To install collectd on a Debian or Ubuntu host, enter: 

$ sudo apt-get install collectd

To install collectd on a CentOS, Redhat, or Fedora host, enter: 

$ sudo yum install collectd

To install collectd on a SUSE or openSUSE host, enter: 

$ sudo zypper install collectd

To install collectd on a Solaris host, enter: 

$ pkgadd -d http://get.opencsw.org/now
$ /opt/csw/bin/pkgutil -U
$ /opt/csw/bin/pkgutil -y -i collectd 
$ /usr/sbin/pkgchk -L CSWcollectd # list files

2. Install the libcurl package

If you have not already installed the libcurl package on your host, install it now.

To install libcurl on a Debian or Ubuntu host, enter: 

$ sudo apt-get install libcurl3

To install libcurl on a CentOS, Redhat, or Fedora host, enter: 

$ sudo yum install libcurl

To install libcurl on a SUSE or openSUSE host, enter: 

$ sudo zypper install libcurl4

To install libcurl on a Solaris host, enter: 

$ pkgadd -d http://get.opencsw.org/now
$ /opt/csw/bin/pkgutil -U
$ /opt/csw/bin/pkgutil -y -i libcurl4_feature 
$ /usr/sbin/pkgchk -L CSWlibcurl4-feature # list files

3. Copy the write_splunk plug-in to collectd's plug-in directory

For information about plug-in locations, see collectd package sources, install commands, and locations.

For all entities except Solaris entities, copy the write_splunk plug-in: 

$ wget https://<hostname>:8000/en-US/static/app/splunk_app_infrastructure/unix_agent/unix-agent.tgz
$ tar xvzf unix-agent.tgz
$ cp unix-agent/write_splunk.so <plug-in_directory>

If you are configuring metrics collection on a Solaris host, enter: 

$ wget https://<hostname>:8000/en-US/static/app/splunk_app_infrastructure/unix_agent/unix-agent.tgz
$ tar xvzf unix-agent.tgz
$ cp write_splunk-solaris.so "/opt/csw/lib/collectd/write_splunk.so"

4. Configure collectd.conf to send data to the Splunk App for Infrastructure

To configure collectd.conf, you must add the <Plugin write_splunk> and <LoadPlugin "write_splunk"> plug-ins and modify the Hostname field. For information about required plug-in locations, see collectd package sources, install commands, and locations.

  1. Add the <LoadPlugin "write_splunk"> plug-in. 
    <LoadPlugin "write_splunk">
FlushInterval 30
</LoadPlugin>
  2. Add the <Plugin write_splunk> plug-in. This plug-in must come after the <LoadPlugin "write_splunk"> plug-in, or the plug-in will not load correctly. 
    <Plugin write_splunk>
server "<receiving_server>"
port "<hec_port>"
token "<hec_token>"
ssl true
verifyssl false
Dimension "key1:value1"
</Plugin>
    Field Value
    receiving_server The IP or hostname of the Splunk deployment to which you are sending data. If you are sending data to a distributed deployment, the IP or hostname of the indexer. If you deploy a load balancer, the IP or hostname of the load balancer.
    hec_port The HEC port.
    hec_token The HEC token.
  3. Update the Hostname field. The Hostname is the name of the host from which you send data.

Here is a recommended collectd.conf file: 

#
# Config file for collectd(1).
# Please read collectd.conf(5) for a list of options.
# http://collectd.org/
#

##############################################################################
# Global #
#----------------------------------------------------------------------------#
# Global settings for the daemon. #
##############################################################################

Hostname "collectd.server.sample"
FQDNLookup false
#BaseDir "/var/lib/collectd"
#PIDFile "/var/run/collectd.pid"
#PluginDir "/usr/lib64/collectd"
#TypesDB "/usr/share/collectd/types.db"

#----------------------------------------------------------------------------#
# When enabled, plugins are loaded automatically with the default options #
# when an appropriate <Plugin ...> block is encountered. #
# Disabled by default. #
#----------------------------------------------------------------------------#
#AutoLoadPlugin false

#----------------------------------------------------------------------------#
# When enabled, internal statistics are collected, using "collectd" as the #
# plugin name. #
# Disabled by default. #
#----------------------------------------------------------------------------#
#CollectInternalStats false

#----------------------------------------------------------------------------#
# Interval at which to query values. This may be overwritten on a per-plugin #
# base by using the 'Interval' option of the LoadPlugin block: #
# <LoadPlugin foo> #
# Interval 60 #
# </LoadPlugin> #
#----------------------------------------------------------------------------#
Interval 60

#MaxReadInterval 86400
#Timeout 2
#ReadThreads 5
#WriteThreads 5

# Limit the size of the write queue. Default is no limit. Setting up a limit is
# recommended for servers handling a high volume of traffic.
WriteQueueLimitHigh 1000000
WriteQueueLimitLow 800000

##############################################################################
# Logging #
#----------------------------------------------------------------------------#
# Plugins which provide logging functions should be loaded first, so log #
# messages generated when loading or configuring other plugins can be #
# accessed. #
##############################################################################

LoadPlugin syslog
LoadPlugin logfile
<LoadPlugin "write_splunk">
FlushInterval 30
</LoadPlugin>

##############################################################################
# LoadPlugin section #
#----------------------------------------------------------------------------#
# Lines beginning with a single `#' belong to plugins which have been built #
# but are disabled by default. #
# #
# Lines beginning with `##' belong to plugins which have not been built due #
# to missing dependencies or because they have been deactivated explicitly. #
##############################################################################

#LoadPlugin csv
LoadPlugin cpu
LoadPlugin memory
LoadPlugin df
LoadPlugin load
LoadPlugin disk
LoadPlugin interface

##############################################################################
# Plugin configuration #
#----------------------------------------------------------------------------#
# In this section configuration stubs for each plugin are provided. A desc- #
# ription of those options is available in the collectd.conf(5) manual page. #
##############################################################################

<Plugin logfile>
LogLevel info
File "/etc/collectd/collectd.log"
Timestamp true
PrintSeverity true
</Plugin>

<Plugin syslog>
LogLevel info
</Plugin>

<Plugin cpu>
ReportByCpu false
ReportByState true
ValuesPercentage true
</Plugin>

<Plugin memory>
ValuesAbsolute false
ValuesPercentage true
</Plugin>

<Plugin df>
FSType "ext2"
FSType "ext3"
FSType "ext4"
FSType "XFS"
FSType "rootfs"
FSType "overlay"
FSType "hfs"
FSType "apfs"
FSType "zfs"
FSType "ufs"
ReportByDevice true
ValuesAbsolute false
ValuesPercentage true
IgnoreSelected false
</Plugin>

<Plugin load>
ReportRelative true
</Plugin>

<Plugin disk>
Disk ""
IgnoreSelected true
UdevNameAttr "DEVNAME"
</Plugin>

<Plugin interface>
IgnoreSelected true
</Plugin>

<Plugin write_splunk>
server "<splunk infrastructure app server>"
port "<HEC PORT>"
token "<HEC TOKEN>"
ssl true
verifyssl false
Dimension "key1:value1"
</Plugin>

Optionally, you can also add dimensions as Dimension "key:value" to the write_splunk plug-in.

5. Start the collectd service

Start collectd: 

$ service collectd restart

If you are running collectd on CentOS, enter: 

$ systemctl restart collectd
Last modified on 09 July, 2019
Manually configure log collection on a *nix host for Splunk App for Infrastructure   About using collectd

This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 1.3.0, 1.3.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters