Splunk health
StackState Self-hosted v4.6.x

Overview

The StackState Splunk health integration collects health from Splunk by executing Splunk saved searches from StackState Agent V2. In order to receive Splunk health data in StackState, configuration needs to be added to both Splunk and StackState Agent V2:
  • ​In Splunk - there should be at least one saved search that generates the health data you want to retrieve.
  • ​In StackState Agent V2 - a Splunk health check should be configured to connect to your Splunk instance and execute the relevant Splunk saved searches.
The Splunk health check on StackState Agent V2 will execute all configured Splunk saved searches periodically to retrieve a snapshot of the health at the current time.

Splunk saved search

Fields used

StackState Agent V2 executes the Splunk saved searches configured in the Splunk health Agent check and pushes retrieved data to StackState. The following fields from the results of a saved search are sent to StackState:
Field
Type
Required?
Description
check_state_id
βœ…
string
The unique identifier for the check state.
name
string
βœ…
Display name for the check state.
health
string
βœ…
The health value of the check state. Can be clear, deviating or critical.
topology_element_identifier
string
βœ…
The identifier of the component/relation this check state belongs to.
message
string
-
Extended message associated with the check state, supports markdown.

Example Splunk query

Splunk query for components
1
| loadjob savedsearch=:disks
2
| search OrganizationPart="*" OrgGrp="*" company="*"
3
| table host disk available_pct
4
| eval check_state_id = strcat host "_" disk
5
| eval name = disk
6
| eval health = case(available_pct == 0, "critical", true, "clear")
7
| eval topology_element_identifier = host
8
| table check_state_id name health topology_element_identifier
Copied!

Agent check

Configure the Splunk health check

To enable the Splunk health integration and begin collecting health data from your Splunk instance, the Splunk health check must be configured on StackState Agent V2. The check configuration provides all details required for the Agent to connect to your Splunk instance and execute a Splunk saved search.
Example Splunk health Agent check configuration file: splunk_health/conf.yaml.example (github.com)​
To configure the Splunk health Agent check:
  1. 1.
    Edit the StackState Agent V2 configuration file /etc/stackstate-agent/conf.d/splunk_health.d/conf.yaml.
  2. 2.
    Under instances, add details of your Splunk instance:
    • url - The URL of your Splunk instance.
    • authentication - How the Agent should authenticate with your Splunk instance. Choose either token-based (recommended) or basic authentication. For details, see authentication configuration details.
    • ignore_saved_search_errors - Set to false to return an error if one of the configured saved searches does not exist. Default true.
    • collection_interval - The interval at which the check is scheduled to run.
  3. 3.
    Under saved_searches, add details of each Splunk saved search that the check should execute to retrieve health information:
    • name - The name of the Splunk saved search to execute.
      • match - Regex used for selecting Splunk saved search queries. Default "health.*".
      • app - The Splunk app in which the saved searches are located. Default "search".
      • request_timeout_seconds - Default 10.
      • search_max_retry_count - Default 5.
      • search_seconds_between_retries - Default 1.
      • batch_size - Default 1000.
      • parameters - Used in the Splunk API request. The default parameters provided make sure the Splunk saved search query refreshes. Default force_dispatch: true and dispatch.now: true.
  4. 4.
    More advanced options can be found in the example configuration (github.com).
  5. 5.
    Save the configuration file.
  6. 6.
    Restart StackState Agent V2 to apply the configuration changes.
  7. 7.
    Incoming health data will be mapped to associated components and relations in the StackState UI as check states.
  8. 8.
    To more closely inspect what the synchronization is doing, use the StackState CLI​
The configured collection_interval will be used as the repeat_interval for the health synchronization. Make sure that the value set for the the collection_interval matches the time that the check will take to run.

Disable the Agent check

To disable the Splunk health Agent check:
  1. 1.
    Remove or rename the Agent integration configuration file, for example:
    1
    mv /etc/stackstate-agent/conf.d/splunk_health.d/conf.yaml /etc/stackstate-agent/conf.d/splunk_health.d/conf.yaml.bak
    Copied!
  2. 2.
    Restart StackState Agent V2 to apply the configuration changes.

See also