Docs » Available host and application monitors » Configure application receivers for networks » Logstash TCP

Logstash TCP πŸ”—

The Splunk Distribution of OpenTelemetry Collector uses the Smart Agent receiver with the logstash-tcp monitor type to monitor the health and performance of Logstash deployments through Logstash Monitoring APIs. It fetches events from the logstash tcp output plugin operating in either server or client mode and converts them to data points.

This integration is meant to be used in conjunction with the Logstash Metrics filter plugin that turns events into metrics. You can only use autodiscovery when this monitor is in client mode.

This receiver is available on Linux and Windows.

Benefits πŸ”—

After you configure the integration, you can access these features:

  • View metrics. You can create your own custom dashboards, and most monitors provide built-in dashboards as well. For information about dashboards, see View dashboards in Observability Cloud.

  • View a data-driven visualization of the physical servers, virtual machines, AWS instances, and other resources in your environment that are visible to Infrastructure Monitoring. For information about navigators, see Splunk Infrastructure Monitoring navigators.

  • Access the Metric Finder and search for metrics sent by the monitor. For information, see Use the Metric Finder.

Installation πŸ”—

Follow these steps to deploy this integration:

  1. Deploy the Splunk Distribution of OpenTelemetry Collector to your host or container platform:

  2. Configure the monitor, as described in the Configuration section.

  3. Restart the Splunk Distribution of OpenTelemetry Collector.

Configuration πŸ”—

To use this integration of a Smart Agent monitor with the Collector:

  1. Include the Smart Agent receiver in your configuration file.

  2. Add the monitor type to the Collector configuration, both in the receiver and pipelines sections.

Example πŸ”—

To activate this integration, add the following to your Collector configuration:

    type: logstash-tcp
    ... # Additional config

Next, add the monitor to the service > pipelines > metrics > receivers section of your configuration file:

      receivers: [smartagent/logstash-tcp]

Example: Logstash Metrics plugin configuration πŸ”—

The following example shows how to use both timer and meter metrics from the Logstash Metrics filter plugin:

input {
  file {
    path => "/var/log/auth.log"
    start_position => "beginning"
    tags => ["auth_log"]

  # A contrived file that contains timing messages
  file {
    path => "/var/log/durations.log"
    tags => ["duration_log"]
    start_position => "beginning"

filter {
  if "duration_log" in [tags] {
    dissect {
      mapping => {
        "message" => "Processing took %{duration} seconds"
      convert_datatype => {
        "duration" => "float"
    if "_dissectfailure" not in [tags] { # Filter out bad events
      metrics {
        timer => { "process_time" => "%{duration}" }
        flush_interval => 10
        # This makes the timing stats pertain to only the previous 5 minutes
        # instead of since Logstash last started.
        clear_interval => 300
        add_field => {"type" => "processing"}
        add_tag => "metric"
  # Count the number of logins using SSH from /var/log/auth.log
  if "auth_log" in [tags] and [message] =~ /sshd.*session opened/ {
    metrics {
      # This determines how often metric events will be sent to the agent, and
      # thus how often data points will be emitted.
      flush_interval => 10
      # The name of the meter will be used to construct the name of the metric
      # in Splunk Infrastructure Monitoring. For this example, a data point called `logins.count` would
      # be generated.
      meter => "logins"
      add_tag => "metric"

output {
  # This can be helpful to debug
  stdout { codec => rubydebug }

  if "metric" in [tags] {
    tcp {
      port => 8900
      # The agent will connect to Logstash
      mode => "server"
      # Needs to be "" if running in a container.
      host => ""

Once Logstash is configured with the above configuration, the logstash-tcp monitor collects logins.count and process_time.<timer_field>.

Configuration settings πŸ”—

The following table shows the configuration options for this monitor type:








If mode: server, the local IP address to listen on. If mode: client, the Logstash host/ip to connect to.




If mode: server, the local port to listen on. If mode: client, the port of the Logstash TCP output plugin. If port is 0, a random listening port is assigned by the kernel. (default: 0)




Whether to act as a server or client. The corresponding setting in the Logtash tcp output plugin should be set to the opposite of this. (default: client)



list of strings

(default: [mean, max, p99, count])




How long to wait before reconnecting if the TCP connection cannot be made or after it gets broken. (default: 5s)




If true, events received from Logstash will be dumped to the agent’s stdout in deserialized form (default: false)

Metrics πŸ”—

There are no metrics available for this integration.

Troubleshooting πŸ”—

If you are not able to see your data in Splunk Observability Cloud, try these tips:

To learn about even more support options, see Splunk Customer Success.