Deployment of the TA-metricator-hec-for-nmon¶
Requirements¶
Operating system¶
The Technology Add-on is compatible with:
- Linux OS X86 in 32/64 bits, PowerPC (PowerLinux), s390x (ZLinux), ARM
- IBM AIX 7.1 and 7.2
- Oracle Solaris 11
Third party software and libraries¶
To operate as expected, the Technology Add-on requires a Python or a Perl environment available on the server:
Python environment: used in priority
Hint
Python 3 support
- From the release 1.1.0 of the Add-ons, Python 3.x is required (unless using Perl)
- The last release supporting Python 2.x is the release 1.0.11
| Requirement | Version |
|---|---|
| Python interpreter | 3.x |
Perl environment: used only in fallback
| Requirement | Version |
|---|---|
| Perl interpreter | 5.x |
| Time::HiRes module | any |
| Text::CSV or Text::CSV_XS module | any |
Notes:
- IBM AIX does not generally contain Python. Nevertheless, Perl is available as a standard and the Technical Add-on has the Perl “Text::CSV” module built-in. More, Time::HiRes is part of Perl core modules.
- Modern Linux distribution generally have Python version 2.7.x available and do not require any further action.
- Linux distributions lacking Python will fallback to Perl and must satisfy the Perl modules requirements.
- If running on a full Splunk instance (any Splunk dedicated machine running Splunk Enterprise), the Technical Add-on uses Splunk built-in Python interpreter.
As well, the servers need to have curl available:
| Requirement | Version |
|---|---|
| curl | any |
Deployment¶
The TA-metricator-for-nmon-hec can be deployed to any full Splunk instance or Universal Forwarder instances.
The technical Add-on should be deployed to the regular Splunk directory for application:
$SPLUNK_HOME/etc/apps
where $SPLUNK_HOME refers to the root directory of the Splunk installation
The Technology Add-on uses relative paths referring to $SPLUNK_HOME, as such it is fully compatible with any deployment where $SPLUNK_HOME refers to a custom directory for your installation.
Deployment by Splunk deployment server¶
The TA-metricator-hec-for-nmon can be deployed by any Splunk deployment server:
Upload the tgz archive on your deployment server in a temporary directory, example:
cd /tmp/
<upload the archive here>
The Support Add-on tgz archive must be uncompressed and installed in $SPLUNK_HOME/etc/deployment-server:
cd /opt/splunk/etc/deployment-server/
tar -xvzf /tmp/TA-metricator-for-nmon_*.tar.gz
If you have any customization required, create a local directory and configure your settings in local/ configuration files.
Finally, create a serverclass or add the TA-metricator-hec-for-nmon application into existing serverclass, required parameters are:
- Enable App
- Restart Splunkd
There are no additional configuration actions required, the monitoring inputs are activated by default and the Technical Add-on will start as soon as it is deployed and splunkd has been restarted
Deployment by any configuration management solution¶
The Technology Add-on can be deployed by any configuration management product such as Ansible, Chef or Pupet.
Steps are the same than for a deployment by Splunk deployment server and the configuration management solution must ensure to issue a proper restart of the Splunk instance after the Technical Add-on deployment.
Configuration of the Splunk HTTP Event Collector¶
The TA-metricator-for-nmon relies on the Splunk HTTP Event Collector to forward metrics, nmon data events and configuration data.
To achieve this, you need to have the HEC input being activated, and a token mist be created.
Requirements are:
- Source name override: Optional
- Sourcetype: Automatic
- Indexes allowed: os-unix-nmon-events, os-unix-nmon-metrics, os-unix-nmon-config
- Default index: os-unix-nmon-events (unused, could be any of the indexes)
In Addition with the global configuration that activates the HEC service, this result in a configuration to be stored into an “inputs.conf” configuration file, such as:
[http://<input_name>]
disabled = 0
index = os-unix-nmon-events
indexes = os-unix-nmon-config,os-unix-nmon-events,os-unix-nmon-metrics
token = <token_value>
Take note of the protocol (http versus https) and the value of the token, and configure the TA:
- Create a local directory in TA-metricator-hec-for-nmon
- Copy default/nmon.conf to local/nmon.conf
- Edit the nmonparser options and ensure to configure the Splunk HEC endpoint URL and the value of your token:
nmonparser_options="--mode fifo --use_fqdn --silent --no_local_log --splunk_http_url https://splunk.mydomain.com:8088/services/collector/event --splunk_http_token insert_your_splunk_http_token --splunk_metrics_index os-unix-nmon-metrics --splunk_events_index os-unix-nmon-events --splunk_config_index os-unix-nmon-config"
What happens once the Technology Add-on has been deployed¶
Once the technical Add-on has been deployed, and the Splunk instance restarted, the following actions are taken automatically:
Fifo reader processes and Nmon processes startup¶
At startup time, Splunk will automatically trigger the execution of the “bin/metricator_helper.sh” script.
This script does several actions, such as:
- Identifying the operating system and its sub-version
- For Linux OS, locally extracting the “bin/linux.tgz” archive if existing and if first deployment/upgrade
- starting the fifo_reader processes
- starting the nmon binary according to the guest Operating System and configuration settings
The script activity is available in:
- standard output:
eventtype=nmon:collect host=<server hostname>
- error output:
index=_internal sourcetype=splunkd host=<server hostname> error metricator_helper.sh
Running processes in machine¶
Several processes can be found in machine, at initial run you will find fifo_reader processes (output might differ specially for paths):
Using Python interpreter: (Universal Forwarder example)
python /opt/splunkforwarder/etc/apps/TA-metricator-for-nmon/bin/metricator_reader.py --fifo fifo1
/bin/sh -c /opt/splunkforwarder/etc/apps/TA-metricator-for-nmon/bin/metricator_reader.sh /opt/splunkforwarder/var/log/metricator/var/nmon_repository/fifo1/nmon.fifo
/bin/sh /opt/splunkforwarder/etc/apps/TA-metricator-for-nmon/bin/metricator_reader.sh /opt/splunkforwarder/var/log/metricator/var/nmon_repository/fifo1/nmon.fifo
Using Perl interpreter: (Universal Forwarder example)
/usr/bin/perl /opt/splunkforwarder/etc/apps/TA-metricator-for-nmon/bin/metricator_reader.pl --fifo fifo1
/bin/sh /opt/splunkforwarder/etc/apps/TA-metricator-for-nmon/bin/metricator_reader.sh /opt/splunkforwarder/var/log/metricator/var/nmon_repository/fifo1/nmon.fifo
The startup operation will be visible by a message logged:
eventtype=nmon:collect starting fifo_reader
Example:
12-02-2018 05:12:14, sys-91371.dal-ebis.ihost.com INFO: starting the fifo_reader fifo1
In addition, you will find an nmon binary instance running, example: (output will differ depending on operating systems and settings)
/opt/splunkforwarder/var/log/metricator/bin/linux/rhel/nmon_power_64_rhel6_be -F /opt/splunkforwarder/var/log/metricator/var/nmon_repository/fifo1/nmon.fifo -T -s 60 -c 1440 -d 1500 -g auto -D -p
The startup operation will be visible by a message logged:
eventtype=nmon:collect starting nmon
Example:
12-02-2018 05:12:15, sys-91371.dal-ebis.ihost.com INFO: starting nmon : /opt/splunkforwarder/var/log/metricator/bin/linux/sles/nmon_power_64_sles12_le -F /opt/splunkforwarder/var/log/metricator/var/nmon_repository/fifo1/nmon.fifo -T -s 60 -c 1440 -d 1500 -g auto -D -p in /opt/splunkforwarder/var/log/metricator/var/nmon_repository/fifo1
Nmon data processing¶
The Nmon data processing is achieved every minute by the script “metricator_consumer.sh”
Its activity is indexed in Splunk, and available via the following search:
eventtype=nmon:processing host=<server hostname>
Example:
12-02-2018 09:50:02 Reading NMON data: 440 lines 26766 bytes
Splunk Root Directory ($SPLUNK_HOME): /opt/splunkforwarder
Add-on type: /opt/splunkforwarder/etc/apps/TA-metricator-for-nmon
Add-on version: 1.0.0
nmonparser version: 2.0.0
Guest Operating System: linux
Python version: 2.7.5
HOSTNAME: sys-91367.dal-ebis.ihost.com
NMON VERSION: 16f
TIME of Nmon Data: 05:11.54
DATE of Nmon data: 12-FEB-2018
INTERVAL: 60
SNAPSHOTS: 1440
logical_cpus: 1
NMON OStype: Linux
virtual_cpus: 1
SerialNumber: PPD-Linux
NMON ID: 12-FEB-2018:05:11.54,sys-91367.dal-ebis.ihost.com,PPD-Linux,26766,1518430314,1518446953
ANALYSIS: Enforcing fifo mode using --mode option
Starting_epochtime: 1518430314
Ending_epochtime: 1518446953
last known epoch time: 0
CONFIG section: will not be extracted (time delta of 66282 seconds is inferior to 86400 seconds)
Output mode is configured to run in minimal mode using the --silent option
Elapsed time was: 0.188985 seconds
Splunk indexing¶
Unlike the TA-metricator-for-nmon, the HEC version directly streams the metrics and data to Splunk using the HEC endpoint.
This operation happens transparently and silently during the execution of the nmonparser_hec.py | nmonparser_hec.pl scripts.
In case of issue, please refer to the official documentation: http://docs.splunk.com/Documentation/Splunk/7.1.0/Data/HECWalkthrough
You can achieve a manual test using the curl command such as:
curl -k https://<host>:8088/services/collector -H 'Authorization: Splunk <token>' -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}'
The nmonparser_hec scripts use exactly the same behavior to forward data to the HEC endpoint.