The StackState Splunk health integration collects health from Splunk by executing Splunk saved searches from StackState Agent V2. In order to receive Splunk health data in StackState, configuration needs to be added to both Splunk and StackState Agent V2:
In Splunk - there should be at least one saved search that generates the health data you want to retrieve.
In StackState Agent V2 - a Splunk health check should be configured to connect to your Splunk instance and execute the relevant Splunk saved searches.
The Splunk health check on StackState Agent V2 will execute all configured Splunk saved searches periodically to retrieve a snapshot of the health at the current time.
StackState Agent V2 executes the Splunk saved searches configured in the Splunk health Agent check and pushes retrieved data to StackState. The following fields from the results of a saved search are sent to StackState:
The unique identifier for the check state.
Display name for the check state.
The health value of the check state. Can be clear, deviating or critical.
The identifier of the component/relation this check state belongs to.
Extended message associated with the check state, supports markdown.
| eval health = case(available_pct == 0, "critical", true, "clear")
| eval topology_element_identifier = host
| table check_state_id name health topology_element_identifier
Configure the Splunk health check
To enable the Splunk health integration and begin collecting health data from your Splunk instance, the Splunk health check must be configured on StackState Agent V2. The check configuration provides all details required for the Agent to connect to your Splunk instance and execute a Splunk saved search.