Connects Splunk to Stackstate in order to:
The StackState Agent can be configured to execute splunk saved searches and provide the results as metrics to the StackState intake api. It will dispatch the saved searches periodically, specifying last metric timestamp to start with up until now.
The StackState Agent expects the results of the saved searches to contain certain fields, as described below in the Metric Query Format. If there are other fields present in the result, they will be mapped to tags, where the column name is the key, and the content the value. The Agent will filter out Splunk default fields (except _time), like e.g. _raw, see the Splunk documentation for more information about default fields.
The agent check prevents sending duplicate metrics over multiple check runs. The received saved search records have to be uniquely identified for comparison. By default, a record’s identity is composed of Splunk’s default fields
_cd. The default behavior can be changed for each saved search by setting the
unique_key_fields in the check’s configuration. Please note that the specified
unique_key_fields fields become mandatory for each record. In case the records can not be uniquely identified by a combination of fields then the whole record can be used by setting
, i.e. empty list.
All these fields are required.
|_time||long||Data collection timestamp, millis since epoch|
|metric%||string||Name of the metric|
|value%||numeric||The value of the metric|
\% The name of the field is configurable in the configuration file
Example Splunk query:
index=vms MetricId=cpu.usage.average | table _time VMName Value | eval VMName = upper(VMName) | rename VMName as metricCpuUsageAverage, Value as valueCpuUsageAverage | eval type = "CpuUsageAverage"