Splunk® App for Infrastructure

Administer Splunk App for Infrastructure

Download manual as PDF

Download topic as PDF

Send collectd data to a local universal forwarder

Configure collectd to send metrics data to a universal forwarder. If you already have firewall rules and ports set up for a local universal forwarder, you can use those same settings to send metrics data from collectd through the local universal forwarder to the Splunk App for Infrastructure (SAI). This makes it easier to monitor an entity in a closed network or large environment without creating new rules and ports.

To send metrics data from collectd to the universal forwarder, configure a UDP port for the local universal forwarder and modify the write_splunk plug-in in collectd.conf.

Prerequisites

To send collectd data to a universal forwarder, you must have already completed these steps:

Steps

Follow these steps to start sending collectd data to a local universal forwarder.

1. Add a network input

Configure a UDP input in $SPLUNKFORWARDERHOME/etc/system/local/inputs.conf so that the universal forwarder can receive data from collectd. Add this stanza with the following attributes:

[udp://{UDP_PORT}]
index = em_metrics
sourcetype = em_metrics_udp
no_appending_timestamp = true

If you are using a different index for metrics, replace em_metrics with the custom index.

For more information about configuring a UDP input, see Add a network input using inputs.conf in the Splunk Enterprise Getting Data In manual.

2. Modify the write_splunk plug-in

Add this stanza to collectd.conf. To find your collectd.conf file, see collectd package sources, install commands, and locations.

<LoadPlugin "write_splunk">
FlushInterval 30
</LoadPlugin>

In collectd.conf, modify the write_splunk plug-in:

<Plugin write_splunk>
server {UF hostname, IP, or localhost}
buffersize 9000
useudp true
udpport {UDP_PORT}
</Plugin>

buffersize is the size (in bytes) of the Send Buffer that the write_splunk plug-in uses. You can increase the buffersize if your operating system supports it.

3. Restart the universal forwarder and collectd

Restart the universal forwarder:

./splunk restart

Restart collectd:

sudo service collectd restart
PREVIOUS
Configure Identity and Access Management (IAM) policy for AWS data collection
  NEXT
Update SELinux to allow for data collection in Splunk App for Infrastructure

This documentation applies to the following versions of Splunk® App for Infrastructure: 1.3.0, 1.3.1, 1.4.0, 1.4.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters