Monitoring Splunk Enterprise Flashcards
Proactive Splunk component monitoring
REST-based monitoring tool
access feature health status information using the splunkd health report in Splunk Web, or access feature health status information from the /server/health/splunkd endpoint.
What data Monitoring Console dashboards use
data from Splunk Enterprise’s internal log files such as metrics.log, as well as data available from Splunk Enterprise platform instrumentation.
Who can view monitoring console
Only users with admin role can access MC
three main configuration states
- unconfigured in standalone mode. navigate to the Monitoring Console on your individual instance in your deployment and see that particular instance’s performance.
- go through the configuration steps, still in standalone mode, which lets you access the default platform alerts.
- go through the configuration steps for distributed mode, which lets you log into one instance and view the console’s information for every instance in your deployment.
Monitoring console configuration files location
$SPLUNK_HOME/etc/apps/splunk_monitoring_console/
which instance will best host the monitoring console.
instance you choose must meet or exceed the search head reference hardware requirements
For security and performance reasons, only Splunk Enterprise administrators should have access to this instance.
The instance hosting the monitoring console must not run any searches unrelated to its function as monitoring console. The exception to this rule is if you are using the console to monitor a standalone single-instance deployment.
Location of MC in a non-clustered deployment
A license manager
A deployment server that is servicing a small number (<50) of clients
A dedicated search head
Location of MC In a deployment with a single indexer cluster
host the monitoring console on the instance running the manager node if the load on the manager node is below the limits
You can also host the monitoring console on a search head node in the cluster, but you must dedicate the node to monitoring console searches. You cannot use the search head to run any other searches.
Location of MC In a deployment with multiple indexer clusters
host the monitoring console on a dedicated search head configured as a search head node on each indexer cluster. Do not use this search head to run any non-monitoring console searches.
Location of MC In a deployment with a search head cluster but without an indexer cluster
A search head cluster deployer
A license manager
A standalone, dedicated search head
Do not run the monitoring console on a search head cluster member.
monitoring console and deployment server
you cannot host the distributed monitoring console on a deployment server.
exception server handles only a small number of deployment clients, no more than 50.
Monitoring Console setup prerequisites
each instance in the deployment has a unique server.conf serverName value and inputs.conf host value.
Forward internal logs (both $SPLUNK_HOME/var/log/splunk and $SPLUNK_HOME/var/log/introspection) to indexers from all other components
The user setting up the monitoring console needs the admin_all_objects capability.
Adding Splunk Enterprise instances in MC
must add each instance that you want to monitor to the monitoring console as a search peer, regardless of the server role, with the exception of indexers that are part of an indexer cluster.
- Log into the instance on which you want to configure the monitoring console.
- In Splunk Web, click Settings > Distributed search > Search peers.
- Click New.
- Fill in the requested fields, and click Save.
Repeat steps 3 and 4 for each search head, deployment server, license manager, non-clustered indexer, and clustered search head. Do not add clustered indexers. If you are monitoring an indexer cluster and you are hosting the monitoring console on an instance other than the cluster manager, you must add the cluster manager as a search peer and configure the monitoring console instance as a search-head in that cluster.