Splunk® App for Infrastructure (Legacy)

Administer Splunk App for Infrastructure

Send collectd data to a local universal forwarder

Configure collectd to send metrics data to a universal forwarder. If you already have firewall rules and ports set up for a local universal forwarder, you can use those same settings to send metrics data from collectd through the local universal forwarder to the Splunk App for Infrastructure (SAI). This makes it easier to monitor an entity in a closed network or large environment without creating new rules and ports.

Prerequisites

To send collectd data to a universal forwarder, you must have already completed these steps:

To send metrics data from collectd to the universal forwarder, configure a UDP port for the local universal forwarder and modify the write_splunk plug-in in collectd.conf.

Steps

Follow these steps to start sending collectd data to a local universal forwarder.

1. Add a network input

Configure a UDP input in $SPLUNKFORWARDERHOME/etc/system/local/inputs.conf so that the universal forwarder can receive data from collectd. Add this stanza with the following attributes: 

[udp://{UDP_PORT}]
index = em_metrics
sourcetype = em_metrics_udp
no_appending_timestamp = true

If you are using a different index for metrics, replace em_metrics with the custom index.

For more information about configuring a UDP input, see Add a network input using inputs.conf in the Splunk Enterprise Getting Data In manual.

2. Modify the write_splunk plug-in

Add this stanza to collectd.conf. To find your collectd.conf file, see collectd package sources, install commands, and locations. 

<LoadPlugin "write_splunk">
FlushInterval 30
</LoadPlugin>

In collectd.conf, modify the write_splunk plug-in: 

<Plugin write_splunk>
server "{UF hostname, IP, or localhost}"
buffersize 9000
useudp true
udpport {UDP_PORT}
</Plugin>

buffersize is the size (in bytes) of the Send Buffer that the write_splunk plug-in uses. You can increase the buffersize if your operating system supports it.

3. Restart the universal forwarder and collectd

Restart the universal forwarder: 

./splunk restart

Restart collectd: 

sudo service collectd restart
Last modified on 17 September, 2020
Manually configure metrics collection on a *nix host for Splunk App for Infrastructure   Update SELinux to allow for data collection in Splunk App for Infrastructure

This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1 Cloud only, 2.2.0 Cloud only, 2.2.1, 2.2.3 Cloud only, 2.2.4, 2.2.5

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters