Use custom metric indexes in Splunk App for Infrastructure
You can create custom indexes to store metrics data in the Splunk App for Infrastructure (SAI). For more information about creating custom indexes, see Create custom indexes.
The default index for metrics data in Splunk App for Infrastructure is em_metrics
.
About the em_metrics source type
The em_metrics
sourcetype is specifically for use with SAI, collectd, and the write_splunk
plugin for collectd. This sourcetype performs important data transforms before indexing that is not available in the standard collectd sourcetype. Use the sourcetype in any custom metrics index that you create.
Use a custom metrics index in SAI
Include a custom metrics index in the metrics index macro so you can monitor hosts in your infrastructure that send data to the custom index. You can also add multiple metrics indexes.
- Go to Settings > Advanced search and select Search macros.
- For App, select Splunk App for Infrastructure (splunk_app_infrastructure).
- Select the
sai_metrics_indexes
macro. - For the Definition, include the custom index you want to use. If you use multiple metrics indexes, add each one like this:
index = linux_metrics OR index = windows_metrics
- When you're done, save the macro.
- Go to Settings > Data inputs and select HTTP Event Collector.
- For the HEC token you use to collect metrics, update the allowed indexes list and specify a new Default Index.
- When you're done, save the configuration.
Update SELinux to allow for data collection in Splunk App for Infrastructure | Stop data collection on Splunk App for Infrastructure |
This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1 Cloud only, 2.2.0 Cloud only, 2.2.1, 2.2.3 Cloud only, 2.2.4, 2.2.5
Feedback submitted, thanks!