Source types for the Splunk Add-on for Linux¶
The Splunk Add-on for Linux provides the index-time and search-time knowledge for CollectD and AuditD.
linux:collectd:http:jsonis for performance metrics sent to the Splunk platform through HEC in JSON formatlinux:collectd:graphiteis for performance metrics sent to the Splunk platform through TCP in Graphite formatlinux:collectd:http:metricsis for performance metrics sent to the Splunk platform through HEC.
CollectD data works with ITSI data models.
Note
The two source types linux:collectd:http:json and linux:collectd:graphite collect the same data from CollectD. However, the collection method and the data format are different for these two source types.
Send data in JSON format through HEC. The data collected in JSON format contains more information than Graphite provides. Using JSON through HEC improves knowledge mapping to the Splunk IT Service Intelligence (ITSI) data model for Linux KPIs. For example, a network interface measurement in Graphite format is presented as two strings:
localhost-234.interface-eno16777984.if_octets.tx 573.300503 1481692948localhost-234.interface-eno16777984.if_octets.rx 783.017354 1481692948
The same measurement in JSON format is presented as a single event:
{"values":[783.017354110699,573.300503324745],"dstypes":["derive","derive"],"dsnames":["rx","tx"],"time":14816 92948.296,"interval":60.000,"host":"localhost-234","plugin":"interface","plugin_instance":"eno16777984","type":"if _octets","type_instance":"","meta":{"network:received":true}}
AuditD data works with CIM data models.
| Source type | Event type | CIM data modules |
|---|---|---|
linux:audit |
linux_audit_account_change |
Change |
linux:audit |
linux_audit_authentication |
Authentication |
linux:audit |
linux_audit_endpoint |
Endpoint |
linux:audit |
linux_audit_endpoint_services |
Endpoint |