How do you get the workers to send metrics (like CPU usage, etc.) to Splunk?

Jon Rust

Noob question here... How do you get the workers to send metrics (like CPU usage, etc.) to Splunk? We have the Leader sending cribl metrics, but not the workers.

Brandon McCombs

Enable the internal Cribl Metrics input to send them through the pipelines.

Jon Rust

Since I didn't set up the Cribl env, I will have to look to see how that leader was set up, I guess to see how to do that for the workers.

Brandon McCombs

Not sure what you mean by the leader sending metrics. The leader doesn't send out any metrics.

Jon Rust

0

Jon Rust

These are going to the cribl_logs index. The cpuPerc is what I'm most interested in.

Jon Rust

I think....

Brandon McCombs

Those are only logs. Not actual metrics in a metrics format. Metrics need to go to a metrics index. If what you have there is sufficient then you won't need the cribl metrics source enabled but you'll want the cribl logs source enabled instead.

Jon Rust

So, this is what we have that i would consider the metrics going to a metrics index, but there is nothing in the index (which is a metrics index):

Jon Rust

I didn't set that up, BTW, so please don't think I know why it was set up this way.

Brandon McCombs

Is the cribl metrics source enabled ?

Jon Rust

How do I find that out?

Brandon McCombs

Go into the inputs for each worker group to see if that input is on.

Jon Rust

From the Sources -> Cribl Internal -> CriblMetrics, they are enabled. Is that what you mean?

Brandon McCombs

yes

Jon Rust

So if they are already enabled, why would I not see the metrics in that index?

Jon Rust

Thank you for your help, BTW. I truly appreciate it.

Brandon McCombs

hard to say, i've only seen a small section of your configuration. Maybe a route for them isn't setup? Maybe they aren't even going thru that pipeline.

Jon Rust

Route is there.

Jon Rust

Pipeline:

Brandon McCombs

I recommend filing a support case so we can review the entire config in depth and possibly conduct a zoom call if necessary. Please include a diag bundle from a worker node (not the leader node) for our review.

Jon Rust

Gov't won't let out diags that aren't completely cleaned and then they have to go through a clearance process. But I can file a support case, and do a screen share.