icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Analytics for Linux
SHA256 checksum (analytics-for-linux_330.tgz) 16ac9f415c40d572cf7c31f49c24efda518a4990cc9f1cab362f92f93e08e635 SHA256 checksum (analytics-for-linux_321.tgz) 9cc10cc3e8ff84242b9e6be18e5f2cfde9b931ce952f1c18f48315eb77b6fa79 SHA256 checksum (analytics-for-linux_320.tgz) e78fc18b308dcd4c68e8bb858967477529c9607e226dffb8be105e697895d1f3 SHA256 checksum (analytics-for-linux_310.tgz) f67090b4b84dd885d6fe96d0b766643ccea78aa96b661719edbbcd1b0f12b740 SHA256 checksum (analytics-for-linux_301.tgz) bfeb20b435ca51d58284bccf6bf3243f511d75a454a37b37433b6e7090408bc4 SHA256 checksum (analytics-for-linux_300.tgz) 5902f38ef100bf0cc93074ed849fa41b4e4d31386c56f74b8cc575d399523ed2 SHA256 checksum (analytics-for-linux_220.tgz) 4aff42a8e64fc19d1241bbf9cb2495d8fe9580a707f381c3194f8f3869905048 SHA256 checksum (analytics-for-linux_210.tgz) 00a1f732c0e551f25a98017188bae09f4fe5f274e1cff7d27789b83261813449 SHA256 checksum (analytics-for-linux_201.tgz) cc44da7bf0ba41fded54d8e45d64f2941f9e10c74af388fd21b4ce034deb81cf
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


Analytics for Linux

This app is NOT supported by Splunk. Please read about what that means for you here.
Analytics for Linux helps you quickly and easily analyse system and application performance metrics in Splunk.

Just configure collectd on your Linux servers to push metrics to your Splunk HTTP Event Collector and into a metrics index.

All dashboards in the app utilize the mstats command to query the Metrics Store (new to Splunk Enterprise 7.x) which enables massive performance improvements, i.e. 200 - 2000x faster queries.

Dashboards include graphs of CPU, Memory, Swap, Load, Disk Usage, Processes, Network Interface Utilization, Network Latency (Ping), and nginx & Apache web servers.

Custom Visualization prerequisites:
Horizon Chart: https://splunkbase.splunk.com/app/3117/
Horseshoe Meter: https://splunkbase.splunk.com/app/3166/

Feedback welcome :)


Configure your collectd agents to send metrics using the "write_http" plugin to a Splunk HTTP Event Collector with the built-in sourcetype called “collectd_http”

i.e. “Analytics for Linux” doesn’t require a separate Splunk Technology Add-on (TA) for ingestion of metrics.

Create a new 'metric' index

e.g. collectd:

indexes.conf :-

datatype   = metric
homePath   = $SPLUNK_DB/collectd/db
coldPath   = $SPLUNK_DB/collectd/colddb
thawedPath = $SPLUNK_DB/collectd/thaweddb

Add a new HTTP Event Collector token

e.g. replace hec_token below:

inputs.conf :-

source=collectd token

Install and configure collectd

an example configuration file has been included in this app:
i.e. $SPLUNK_HOME/etc/apps/sh_collectd/examples/collectd.conf

Note: You must replace splunk_server & hec_token in the Node definition, e.g.

<Plugin write_http>
<Node "node1">
URL "https://splunk_server:8088/services/collector/raw"
Header "Authorization: Splunk hec_token"
Format "JSON"
VerifyPeer false
VerifyHost false
Metrics true
StoreRates true

Start Collectd

/etc/init.d/collectd start


  • Overview
  • Load
  • CPU Overview
  • CPU Detail (overall and per core)
  • Memory Usage (used, cached, buffered, swapped, free memory)
  • Storage Trending (in-/decrease per host and per partition)
  • Storage Timeline (Host and Partition usage over time)
  • Storage Performance (IOPs, Latency, Volume) by Host and Partition
  • Process State (running, sleeping, blocked and zombie processes) over time
  • Network Throughput and Errors (Packets/s) by Host and Interface
  • Ping (Network Latency)
  • Metrics Comparison with Horizon Chart - compare two or more hosts
  • Metrics Explorer (inspired by the Metrics Explorer for Splunk app)
  • Metrics Navigator - dynamically display multiple charts of metrics
  • nginx Usage
  • Apache Usage


Developer: Luke Harris (Data Analytics Practice Lead at Katana1)
Web: https://katana1.com
Twitter: https://twitter.com/skywalka



Stop, Collaborate, and Listen

Issues & Pull Requests are welcome :)

Collectd Compatibility

This app has been tested with the following versions of collectd:
Ubuntu: collectd,, &
RHEL 7: collectd 5.8.0-1
CentOS 7: collectd 5.7.1-2
Amazon Linux: collectd 5.7.1-3.19
Mac OS X: collectd 5.8.0

Note: collectd version 5.6 or higher is required.

Splunk Compatibility

Minimum Version 7.x

Splunk Documentation for Collectd


Splunk ebook - The Beginner's Guide to Collectd



1/ Run the following search to confirm that metrics are being indexed :-

|  mcatalog values(metric_name)

2/ Add the collectd index to "Indexes searched by default" :-


3/ Ensure that the sourcetype is set to "collectd_http" :-

Example error in splunkd.log:

WARN  IndexProcessor - Index Processor: Metric value=unset is not valid for source=collectd_linux, sourcetype=hec, host=foo, index=collectd. Metric event data with an invalid metric value would not be indexed. Ensure the input metric data is not malformed.

4/ Ensure that collectd can connect to the network using TCP by turning on the "collectd_tcp_network_connect" boolean for SELinux which is disabled by default :-

Example error in /var/log/messages or /var/log/syslog:

write_http plugin: curl_easy_perform failed with status 7: Failed to connect to Permission denied


# setsebool -P collectd_tcp_network_connect 1

Thank You

This app was inspired by the 'Collectd App for Splunk Enterprise' by Nexinto GmbH

Release Notes

Version 3.3.0
Jan. 12, 2018

Added Overview dashboard, Added CPU Overview dashboard, Fixed Bugs in Storage Trends dashboard, & Added Ping dashboard

Version 3.2.1
Jan. 11, 2018

Added a host multi-select dropdown to the Overview and CPU Overview dashboards

Version 3.2.0
Jan. 9, 2018

Added Overview dashboard, Added CPU Overview dashboard, & Fixed Bugs in Storage Trends dashboard

Version 3.1.0
Nov. 27, 2017

Updated Storage Performance chart with per host metrics, Added Index dropdown to Metrics dashboards, & Updated CPU Usage dashboard with Cores dropdown

Version 3.0.1
Nov. 20, 2017

Updated configs in readiness for app certification

Version 3.0.0
Nov. 15, 2017

New dashboards for nginx & Apache web servers

Version 2.2.0
Nov. 9, 2017

Added the Metrics Navigator dashboard to dynamically display multiple charts of metrics

Version 2.1.0
Nov. 8, 2017

Added new dashboards to explore and compare metrics

Version 2.0.1
Nov. 2, 2017

Version 2.0.1 - Removed erroneous configs

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.