diff --git a/apps/splunk_health_overview/README b/apps/splunk_health_overview/README new file mode 100644 index 00000000..07b227e8 --- /dev/null +++ b/apps/splunk_health_overview/README @@ -0,0 +1,42 @@ +The Splunk Health Overview app helps you easily manage your Splunk environment and provides a high level overview of key metrics. + +It features several helpful views: + +Health Status +License Overview +Search Activity +Resource Usage +Scheduler Activity +User Activity +Available Indexes +Indexes and Fields + + +The Splunk Monitoring App Focuses on the following areas: + +Health Status – status of your instances, forwarders, data feeds, and internal messages. +License Overview – shows the status of your license usage, license trending, and index and indexer capacity - takes advantage of the Internal Events data model. +Resource Usage - uses the Introspection Usage data model for a look into Splunk and system resource usage. +Search Activity – illustrates what users are searching in your environment and allows you to easily identify poorly written searches. +Scheduler Activity – information regarding job schedules. +User Activity – information regarding user activity. +Available Indexes – shows what indexes and source types are in your environment with a custom contextual drill down capability that launches a new search with the index/sourcetype in question defined. This has proven very successful as users no longer have to run expensive exploratory searches to determine what indexes and sourcetypes are available to their role. +Indexes and Fields - Contains detail regarding field extractions for sourcetypes and the fields that are extracted. + +Getting Started: + +Once the app is installed a restart is required. After the restart you will need to run two of the scheduled saved searches avail_indexes and all_servers. These two lookups will gather information regarding your environment and are crucial to the apps functionality. If the all_servers lookup does not generate accurate information in your environment you will need to manually edit this. + +Other Gotchas: +There is an Internal Events and Introspection accelerated data model will will need to complete acceleration. + +You can customized thresholds based on your license capacity. By default, the filler gauge is set to 10 GB. + +Splunk instances running on Mac OSX do not generate Introspection data. + +Each instance that wants to be monitored will need to be a search peer so Splunk can collect the role information from that host. If it is not setup as a peer Splunk can still collect information regarding that host granted it is sending data to a host that is a Splunk search peer but will not show information generated from REST. + +Currently only supported on Splunk 6.1+. To get this app functioning with 6.0.x you will need remove the panel tags from the xml views and remove any panel embedded time range picker as well as any multiselect inputs. + + +Special thanks to Sanford Owings and Vlad Skoryk. diff --git a/apps/splunk_health_overview/appserver/static/search_health.css b/apps/splunk_health_overview/appserver/static/search_health.css new file mode 100755 index 00000000..7a2106c5 --- /dev/null +++ b/apps/splunk_health_overview/appserver/static/search_health.css @@ -0,0 +1,46 @@ + /* Custom Icons */ + td.icon { + text-align: center; + } + td.icon i { + font-size: 25px; + text-shadow: 1px 1px #aaa; + } + td.icon .severe { + color: red; + } + td.icon .elevated { + color: orangered; + } + td.icon .low { + color: #006400; + } + /* Row Coloring */ + #highlight tr td { + background-color: #c1ffc3 !important; + } + #highlight tr.range-elevated td { + background-color: #ffc57a !important; + } + #highlight tr.range-severe td { + background-color: #d59392 !important; + } + #highlight .table td { + border-top: 1px solid #fff; + } + #highlight td.range-severe, td.range-elevated { + font-weight: bold; + } + .icon-inline i { + font-size: 18px; + margin-left: 5px; + } + .icon-inline i.icon-alert-circle { + color: #ef392c; + } + .icon-inline i.icon-alert { + color: #ff9c1a; + } + .icon-inline i.icon-check { + color: #5fff5e; + } \ No newline at end of file diff --git a/apps/splunk_health_overview/appserver/static/search_health.js b/apps/splunk_health_overview/appserver/static/search_health.js new file mode 100755 index 00000000..e2fda04f --- /dev/null +++ b/apps/splunk_health_overview/appserver/static/search_health.js @@ -0,0 +1,39 @@ + require([ + 'underscore', + 'jquery', + 'splunkjs/mvc', + 'splunkjs/mvc/tableview', + 'splunkjs/mvc/simplexml/ready!' + ], function(_, $, mvc, TableView) { + // Translations from rangemap results to CSS class + var ICONS = { + severe: 'alert-circle', + elevated: 'alert', + low: 'check-circle' + }; + var RangeMapIconRenderer = TableView.BaseCellRenderer.extend({ + canRender: function(cell) { + // Only use the cell renderer for the range field + return cell.field === 'Status'; + }, + render: function($td, cell) { + var icon = 'question'; + // Fetch the icon for the value + if (ICONS.hasOwnProperty(cell.value)) { + icon = ICONS[cell.value]; + } + // Create the icon element and add it to the table cell + $td.addClass('icon').html(_.template('', { + icon: icon, + range: cell.value + })); + } + }); + mvc.Components.get('table_status').getVisualization(function(tableView){ + // Register custom cell renderer + tableView.table.addCellRenderer(new RangeMapIconRenderer()); + // Force the table to re-render + tableView.table.render(); + }); + + }); diff --git a/apps/splunk_health_overview/appserver/static/server_health.css b/apps/splunk_health_overview/appserver/static/server_health.css new file mode 100755 index 00000000..7a2106c5 --- /dev/null +++ b/apps/splunk_health_overview/appserver/static/server_health.css @@ -0,0 +1,46 @@ + /* Custom Icons */ + td.icon { + text-align: center; + } + td.icon i { + font-size: 25px; + text-shadow: 1px 1px #aaa; + } + td.icon .severe { + color: red; + } + td.icon .elevated { + color: orangered; + } + td.icon .low { + color: #006400; + } + /* Row Coloring */ + #highlight tr td { + background-color: #c1ffc3 !important; + } + #highlight tr.range-elevated td { + background-color: #ffc57a !important; + } + #highlight tr.range-severe td { + background-color: #d59392 !important; + } + #highlight .table td { + border-top: 1px solid #fff; + } + #highlight td.range-severe, td.range-elevated { + font-weight: bold; + } + .icon-inline i { + font-size: 18px; + margin-left: 5px; + } + .icon-inline i.icon-alert-circle { + color: #ef392c; + } + .icon-inline i.icon-alert { + color: #ff9c1a; + } + .icon-inline i.icon-check { + color: #5fff5e; + } \ No newline at end of file diff --git a/apps/splunk_health_overview/appserver/static/server_health.js b/apps/splunk_health_overview/appserver/static/server_health.js new file mode 100755 index 00000000..4cd47239 --- /dev/null +++ b/apps/splunk_health_overview/appserver/static/server_health.js @@ -0,0 +1,52 @@ + require([ + 'underscore', + 'jquery', + 'splunkjs/mvc', + 'splunkjs/mvc/tableview', + 'splunkjs/mvc/simplexml/ready!' + ], function(_, $, mvc, TableView) { + // Translations from rangemap results to CSS class + var ICONS = { + severe: 'alert-circle', + elevated: 'alert', + low: 'check-circle' + }; + var RangeMapIconRenderer = TableView.BaseCellRenderer.extend({ + canRender: function(cell) { + // Only use the cell renderer for the range field + return cell.field === 'Status'; + }, + render: function($td, cell) { + var icon = 'question'; + // Fetch the icon for the value + if (ICONS.hasOwnProperty(cell.value)) { + icon = ICONS[cell.value]; + } + // Create the icon element and add it to the table cell + $td.addClass('icon').html(_.template('', { + icon: icon, + range: cell.value + })); + } + }); + mvc.Components.get('table_status').getVisualization(function(tableView){ + // Register custom cell renderer + tableView.table.addCellRenderer(new RangeMapIconRenderer()); + // Force the table to re-render + tableView.table.render(); + }); + mvc.Components.get('real_status').getVisualization(function(tableView){ + // Register custom cell renderer + tableView.table.addCellRenderer(new RangeMapIconRenderer()); + // Force the table to re-render + tableView.table.render(); + + }); +mvc.Components.get('forwarder_status').getVisualization(function(tableView){ + // Register custom cell renderer + tableView.table.addCellRenderer(new RangeMapIconRenderer()); + // Force the table to re-render + tableView.table.render(); + }); + + }); diff --git a/apps/splunk_health_overview/appserver/static/table_cell_highlighting.css b/apps/splunk_health_overview/appserver/static/table_cell_highlighting.css new file mode 100755 index 00000000..a22bfd98 --- /dev/null +++ b/apps/splunk_health_overview/appserver/static/table_cell_highlighting.css @@ -0,0 +1,24 @@ + +/* Cell Highlighting */ + +/* +#highlight td { + background-color: #c1ffc3 !important; +} +*/ + +#highlight td.range-low { + background-color: #00CC00; +} + +#highlight td.range-elevated { + background-color: #FF9933 !important; + font-weight: bold; +} + +#highlight td.range-severe { + background-color: #FF0000 !important; + font-weight: bold; +} + + diff --git a/apps/splunk_health_overview/appserver/static/table_cell_highlighting.js b/apps/splunk_health_overview/appserver/static/table_cell_highlighting.js new file mode 100755 index 00000000..bcc2f577 --- /dev/null +++ b/apps/splunk_health_overview/appserver/static/table_cell_highlighting.js @@ -0,0 +1,51 @@ +require([ + 'underscore', + 'jquery', + 'splunkjs/mvc', + 'splunkjs/mvc/tableview', + 'splunkjs/mvc/simplexml/ready!' +], function(_, $, mvc, TableView) { + + // Row Coloring Example with custom, client-side range interpretation + + var CustomRangeRenderer = TableView.BaseCellRenderer.extend({ + canRender: function(cell) { + // Enable this custom cell renderer for both the active_hist_searches and the active_realtime_searches field + return _(['Percent']).contains(cell.field); + }, + render: function($td, cell) { + // Add a class to the cell based on the returned value + var value = parseFloat(cell.value); + + // Apply interpretation for number of historical searches + if (cell.field === 'Percent') { + if (value > 85) { + $td.addClass('range-cell').addClass('range-severe'); + } + else if (value > 60) { + $td.addClass('range-cell').addClass('range-elevated'); + } + else if (value >= 0) { + $td.addClass('range-cell').addClass('range-low'); + } + } + + // Update the cell content + $td.text(value.toFixed(2)).addClass('numeric'); + } + }); + + mvc.Components.get('highlight').getVisualization(function(tableView) { + // Add custom cell renderer + tableView.table.addCellRenderer(new CustomRangeRenderer()); + // tableView.on('rendered', function() { + // Apply class of the cells to the parent row in order to color the whole row + // tableView.$el.find('td.range-cell').each(function() { + // $(this).addClass(this.className); + // }); + //}); + // Force the table to re-render + tableView.table.render(); + }); + +}); diff --git a/apps/splunk_health_overview/appserver/static/table_data_bar.css b/apps/splunk_health_overview/appserver/static/table_data_bar.css new file mode 100755 index 00000000..2894a7bd --- /dev/null +++ b/apps/splunk_health_overview/appserver/static/table_data_bar.css @@ -0,0 +1,21 @@ +td.data-bar-cell { + padding: 4px 8px; +} + +td.data-bar-cell .data-bar-wrapper .data-bar { + height: 16px; + min-width: 1px; + background-color: #5479AF; + + font-weight: bold; +} + +.data-bar-over { color: #FFFFFF; } +.data-bar-under { color: #000000; } + +.data-bar-wrapper { + + border-style: solid; + border-width: 1px; +} + diff --git a/apps/splunk_health_overview/appserver/static/table_data_bar.js b/apps/splunk_health_overview/appserver/static/table_data_bar.js new file mode 100755 index 00000000..8b408784 --- /dev/null +++ b/apps/splunk_health_overview/appserver/static/table_data_bar.js @@ -0,0 +1,30 @@ +require([ + 'jquery', + 'underscore', + 'splunkjs/mvc', + 'views/shared/results_table/renderers/BaseCellRenderer', + 'splunkjs/mvc/simplexml/ready!' +], function($, _, mvc, BaseCellRenderer) { + + var DataBarCellRenderer = BaseCellRenderer.extend({ + canRender: function(cell) { + return (cell.field === 'UsedPct'); + }, + render: function($td, cell) { +var pColor="data-bar-under" +if(cell.value > 15){ pColor="data-bar-over" } + $td.addClass('data-bar-cell').html(_.template('
 <%- ppp %>%
', { + percent: Math.min(Math.max(parseFloat(cell.value), 0), 100), +ppp: parseFloat(cell.value).toFixed(2), +pColor: pColor + })); + } + }); + + mvc.Components.get('df').getVisualization(function(tableView) { + tableView.table.addCellRenderer(new DataBarCellRenderer()); + tableView.table.render(); + }); + +}); + diff --git a/apps/splunk_health_overview/appserver/static/table_decorations_shrunk.css b/apps/splunk_health_overview/appserver/static/table_decorations_shrunk.css new file mode 100644 index 00000000..ea4f8a1b --- /dev/null +++ b/apps/splunk_health_overview/appserver/static/table_decorations_shrunk.css @@ -0,0 +1,59 @@ +/* Custom Icons */ + +td.icon { + text-align: center; +} + +td.icon i { + font-size: 15px; + text-shadow: 1px 1px #aaa; +} + +td.icon .severe { + color: red; +} + +td.icon .elevated { + color: orangered; +} + +td.icon .low { + color: #006400; +} + +/* Row Coloring */ + +#highlight tr td { + background-color: #c1ffc3 !important; +} + +#highlight tr.range-elevated td { + background-color: #ffc57a !important; +} + +#highlight tr.range-severe td { + background-color: #d59392 !important; +} + + +#highlight .table td { + border-top: 1px solid #fff; +} + +#highlight td.range-severe, td.range-elevated { + font-weight: bold; +} + +.icon-inline i { + font-size: 10px; + margin-left: 5px; +} +.icon-inline i.icon-alert-circle { + color: #ef392c; +} +.icon-inline i.icon-alert { + color: #ff9c1a; +} +.icon-inline i.icon-check { + color: #5fff5e; +} diff --git a/apps/splunk_health_overview/appserver/static/table_icons_mv.js b/apps/splunk_health_overview/appserver/static/table_icons_mv.js new file mode 100644 index 00000000..b8fa543b --- /dev/null +++ b/apps/splunk_health_overview/appserver/static/table_icons_mv.js @@ -0,0 +1,56 @@ +require([ +'underscore', +'jquery', +'splunkjs/mvc', +'splunkjs/mvc/tableview', +'splunkjs/mvc/simplexml/ready!' +], function(_, $, mvc, TableView) { + +// Translations from rangemap results to CSS class +var ICONS = { +severe: 'alert-circle', +elevated: 'alert', +low: 'check-circle' +}; + +var RangeMapIconRenderer = TableView.BaseCellRenderer.extend({ +canRender: function(cell) { +// Only use the cell renderer for the range field +return cell.field === 'Status'; +}, +render: function($td, cell) { +var icon = 'question'; +//debugger; +if (!(cell.value instanceof Array)) { +console.log("data is array, lets fix it"); +cell.value = cell.value.split("##"); +} +console.log("dataset is: ", cell.value) + +for (var v in cell.value) { + +if (cell.value.hasOwnProperty(v)) { +val = cell.value[v]; +// Fetch the icon for the value +if (ICONS.hasOwnProperty(val)) { +icon = ICONS[val]; +} +var needsBreak = (v == cell.value-1) ? "":"
"; +// Create the icon element and add it to the table cell +$td.addClass('icon').append(_.template('', { +icon: icon, +range: val +}) + needsBreak); +} +} +} +}); + +mvc.Components.get('feed_status').getVisualization(function(tableView){ +// Register custom cell renderer +tableView.table.addCellRenderer(new RangeMapIconRenderer()); +// Force the table to re-render +tableView.table.render(); +}); + +}); diff --git a/apps/splunk_health_overview/default/app.conf b/apps/splunk_health_overview/default/app.conf new file mode 100644 index 00000000..c7681880 --- /dev/null +++ b/apps/splunk_health_overview/default/app.conf @@ -0,0 +1,16 @@ +# Splunk app configuration file +[package] +id = splunk_health_overview + +[ui] +is_visible = 1 +label = Splunk Health Overview + + +[launcher] +author = Aaron Kornhauser ak@splunk.com +description = This app is a cumulative overview of the health of your Splunk environment. +version = 2.2.1 + +[install] +build = 1 diff --git a/apps/splunk_health_overview/default/data/models/Internal_Events.json b/apps/splunk_health_overview/default/data/models/Internal_Events.json new file mode 100644 index 00000000..241421c8 --- /dev/null +++ b/apps/splunk_health_overview/default/data/models/Internal_Events.json @@ -0,0 +1,222 @@ +{ + "modelName": "Internal_Events", + "displayName": "Internal Events", + "description": "Model to encapsulate some operational data for executive summary dashboards.", + "objectSummary": { + "Event-Based": 1, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "Internal_Log_Events", + "displayName": "Internal Log Events", + "parentName": "BaseEvent", + "fields": [ + { + "fieldName": "b", + "owner": "Internal_Log_Events", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "b", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "series", + "owner": "Internal_Log_Events", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "series", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "ev", + "owner": "Internal_Log_Events", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "ev", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "group", + "owner": "Internal_Log_Events", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "group", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "pool", + "owner": "Internal_Log_Events", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pool", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "type", + "owner": "Internal_Log_Events", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "type", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "kb", + "owner": "Internal_Log_Events", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "kb", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "h", + "owner": "Internal_Log_Events", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "h", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "idx", + "owner": "Internal_Log_Events", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "idx", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "st", + "owner": "Internal_Log_Events", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "st", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "splunk_server", + "owner": "Internal_Log_Events", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "splunk_server", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "i", + "owner": "Internal_Log_Events", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "i", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" + } + ], + "calculations": [], + "constraints": [ + { + "search": "index=_internal source=*license_usage.log* type=Usage", + "owner": "Internal_Log_Events" + } + ], + "lineage": "Internal_Log_Events" + } + ], + "objectNameList": [ + "Internal_Log_Events" + ] +} diff --git a/apps/splunk_health_overview/default/data/models/Introspection_Usage.json b/apps/splunk_health_overview/default/data/models/Introspection_Usage.json new file mode 100644 index 00000000..f910a227 --- /dev/null +++ b/apps/splunk_health_overview/default/data/models/Introspection_Usage.json @@ -0,0 +1,1150 @@ +{ + "modelName": "Introspection_Usage", + "displayName": "Introspection Usage", + "description": "Introspection Data Model for Resource Usage", + "objectSummary": { + "Event-Based": 4, + "Transaction-Based": 0, + "Search-Based": 0 + }, + "objects": [ + { + "objectName": "Introspection", + "displayName": "Introspection", + "parentName": "BaseEvent", + "fields": [ + { + "fieldName": "data.args", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "data_args", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.cpu_idle_pct", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cpu_idle_pct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.cpu_system_pct", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cpu_system_pct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.cpu_user_pct", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cpu_user_pct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.fd_used", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "fd_used", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.mem_used", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "mem_used", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.normalized_load_avg_1min", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "normalized_load_avg_1min", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.pct_cpu", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pct_cpu", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.pct_memory", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pct_memory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.process", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "process", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.search_props.app", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.search_props.args", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "search_args", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.search_props.mode", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "mode", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.search_props.user", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.swap_used", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "swap_used", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.mount_point", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "mount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" + } + ], + "calculations": [], + "constraints": [ + { + "search": "index=_introspection", + "owner": "Introspection" + } + ], + "lineage": "Introspection" + }, + { + "objectName": "Disk_Objects", + "displayName": "Disk Objects", + "parentName": "Introspection", + "fields": [ + { + "fieldName": "data.args", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "data_args", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.cpu_idle_pct", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cpu_idle_pct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.cpu_system_pct", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cpu_system_pct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.cpu_user_pct", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cpu_user_pct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.fd_used", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "fd_used", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.mem_used", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "mem_used", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.normalized_load_avg_1min", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "normalized_load_avg_1min", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.pct_cpu", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pct_cpu", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.pct_memory", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pct_memory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.process", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "process", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.search_props.app", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.search_props.args", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "search_args", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.search_props.mode", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "mode", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.search_props.user", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.swap_used", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "swap_used", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.mount_point", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "mount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" + } + ], + "calculations": [ + { + "outputFields": [ + { + "fieldName": "Capacity", + "owner": "Introspection.Disk_Objects", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "Capacity", + "comment": "", + "fieldSearch": "" + } + ], + "calculationID": "ap8ojhsynvj", + "owner": "Introspection.Disk_Objects", + "editable": true, + "comment": "", + "calculationType": "Eval", + "expression": "round('data.capacity'/1024,2)" + }, + { + "outputFields": [ + { + "fieldName": "Avail", + "owner": "Introspection.Disk_Objects", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "Avail", + "comment": "", + "fieldSearch": "" + } + ], + "calculationID": "hvv0j0v4aw", + "owner": "Introspection.Disk_Objects", + "editable": true, + "comment": "", + "calculationType": "Eval", + "expression": "round('data.free'/1024,2)" + }, + { + "outputFields": [ + { + "fieldName": "Used", + "owner": "Introspection.Disk_Objects", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "Used", + "comment": "", + "fieldSearch": "" + } + ], + "calculationID": "e74nw43q038", + "owner": "Introspection.Disk_Objects", + "editable": true, + "comment": "", + "calculationType": "Eval", + "expression": "round((Capacity-Avail),2)" + }, + { + "outputFields": [ + { + "fieldName": "UsedPct", + "owner": "Introspection.Disk_Objects", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "UsedPct", + "comment": "", + "fieldSearch": "" + } + ], + "calculationID": "7fbamd5whnf", + "owner": "Introspection.Disk_Objects", + "editable": true, + "comment": "", + "calculationType": "Eval", + "expression": "round((Used/Capacity)*100,2)" + } + ], + "constraints": [ + { + "search": "sourcetype=splunk_disk_objects component=Partitions", + "owner": "Introspection.Disk_Objects" + } + ], + "lineage": "Introspection.Disk_Objects" + }, + { + "objectName": "Hostwide_Resource_Usage", + "displayName": "Hostwide Resource Usage", + "parentName": "Introspection", + "fields": [ + { + "fieldName": "data.args", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "data_args", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.cpu_idle_pct", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cpu_idle_pct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.cpu_system_pct", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cpu_system_pct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.cpu_user_pct", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cpu_user_pct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.fd_used", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "fd_used", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.mem_used", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "mem_used", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.normalized_load_avg_1min", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "normalized_load_avg_1min", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.pct_cpu", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pct_cpu", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.pct_memory", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pct_memory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.process", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "process", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.search_props.app", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.search_props.args", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "search_args", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.search_props.mode", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "mode", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.search_props.user", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.swap_used", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "swap_used", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.mount_point", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "mount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" + } + ], + "calculations": [ + { + "outputFields": [ + { + "fieldName": "pct_cpu_used", + "owner": "Introspection.Hostwide_Resource_Usage", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pct_cpu_used", + "comment": "", + "fieldSearch": "" + } + ], + "calculationID": "ztotitvz5t7", + "owner": "Introspection.Hostwide_Resource_Usage", + "editable": true, + "comment": "", + "calculationType": "Eval", + "expression": "round(100-'data.cpu_idle_pct',2)" + } + ], + "constraints": [ + { + "search": "sourcetype=splunk_resource_usage component=Hostwide", + "owner": "Introspection.Hostwide_Resource_Usage" + } + ], + "lineage": "Introspection.Hostwide_Resource_Usage" + }, + { + "objectName": "PerProcess_Resource_Usage", + "displayName": "PerProcess Resource Usage", + "parentName": "Introspection", + "fields": [ + { + "fieldName": "data.args", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "data_args", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.cpu_idle_pct", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cpu_idle_pct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.cpu_system_pct", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cpu_system_pct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.cpu_user_pct", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "cpu_user_pct", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.fd_used", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "fd_used", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.mem_used", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "mem_used", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.normalized_load_avg_1min", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "normalized_load_avg_1min", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.pct_cpu", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pct_cpu", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.pct_memory", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "pct_memory", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.process", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "process", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.search_props.app", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "app", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.search_props.args", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "search_args", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.search_props.mode", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "mode", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.search_props.user", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "user", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.swap_used", + "owner": "Introspection", + "type": "number", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "swap_used", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "data.mount_point", + "owner": "Introspection", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "mount", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "_time", + "owner": "BaseEvent", + "type": "timestamp", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "_time", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "host", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "host", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "source", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "source", + "comment": "", + "fieldSearch": "" + }, + { + "fieldName": "sourcetype", + "owner": "BaseEvent", + "type": "string", + "required": false, + "multivalue": false, + "hidden": false, + "editable": true, + "displayName": "sourcetype", + "comment": "", + "fieldSearch": "" + } + ], + "calculations": [], + "constraints": [ + { + "search": "sourcetype=splunk_resource_usage component=PerProcess", + "owner": "Introspection.PerProcess_Resource_Usage" + } + ], + "lineage": "Introspection.PerProcess_Resource_Usage" + } + ], + "objectNameList": [ + "Introspection", + "Disk_Objects", + "Hostwide_Resource_Usage", + "PerProcess_Resource_Usage" + ] +} diff --git a/apps/splunk_health_overview/default/data/ui/nav/default.xml b/apps/splunk_health_overview/default/data/ui/nav/default.xml new file mode 100644 index 00000000..70858427 --- /dev/null +++ b/apps/splunk_health_overview/default/data/ui/nav/default.xml @@ -0,0 +1,17 @@ + diff --git a/apps/splunk_health_overview/default/data/ui/views/deployment_status.xml b/apps/splunk_health_overview/default/data/ui/views/deployment_status.xml new file mode 100644 index 00000000..93028bcc --- /dev/null +++ b/apps/splunk_health_overview/default/data/ui/views/deployment_status.xml @@ -0,0 +1,42 @@ +
+ +
+ + + All + Index + Index + * + |inputlookup avail_indexes.csv | dedup Index | sort + Index + + + + All + sourcetype + sourcetype + * + sourcetype= + OR + | tstats values(sourcetype) AS st where index=$index$ by sourcetype | fields - st + + + + * + +
+ + + + Host and Sourcetype Detail - Last 7 Days + | tstats latest(_time) AS lastTime WHERE index=$index$ sourcetype!=stash $sourcetype$ host=*$host$* BY host sourcetype index | eval current=now() | eval age_min=round((current-lastTime)/60,2) | rangemap field=age_min default=severe low=0-30 elevated=30-60 | stats max(current) AS "Current Time" values(sourcetype) AS Sourcetypes list(lastTime) AS "Latest Event" list(age_min) AS age_min list(range) AS Status by host index | convert ctime(*Time) ctime("Latest Event") | eventstats avg(age_min) AS avg_age by host | eval avg_age=round(avg_age,2) | sort - avg_age | rename age_min AS "Communicated Minutes Ago" avg_age AS "Avg Communicated Minutes Ago" + -7d@h + now + + + + + +
+ + +
\ No newline at end of file diff --git a/apps/splunk_health_overview/default/data/ui/views/health_status.xml b/apps/splunk_health_overview/default/data/ui/views/health_status.xml new file mode 100644 index 00000000..f5809c64 --- /dev/null +++ b/apps/splunk_health_overview/default/data/ui/views/health_status.xml @@ -0,0 +1,243 @@ +
+ +
+ + + + @d + now + + +
+ + + +
+

This dashboard is intended to show the overall status and health of your Splunk deployment.

The dashboard provides server availability via REST calls, utilization for CPU and memory, as well as Splunk internal messages. +

To drilldown onto a particular host in question, click on the server name and additional panels will be populated. Also, the timechart has a pan and zoom feature which allows you to specify a timerange on the chart to filter the panel below.

+ + + + + + + Historical Unreachable Splunk Server Instances + index=_internal sourcetype=splunkd component=DistributedPeerManager "Down"| rex "named\s(?<Host>\S+)\:" | lookup all_servers.csv host AS Host OUTPUT role |stats sparkline count AS Count values(role) AS Roles earliest(_time) AS "First Occurrence" latest(_time) AS "Last Occurrence" by Host message | convert ctime(*Occurrence) | rename message as Message sparkline AS Sparkline | table Host Roles Message Sparkline Count "First Occurrence" "Last Occurrence" + $time.earliest$ + $time.latest$ + + + + + +
+ + + + + + Current Splunk Server Status + + |inputlookup all_servers.csv | eval splunk_server=host | join type=left splunk_server [|rest /services/server/info] | join type=left splunk_server [| rest /services/server/status/resource-usage/hostwide | eval mb_mem_used=round(mem_used,2) | fields splunk_server cpu_system_pct cpu_user_pct mb_mem_used] | fillnull value="Non-Reporting" | eval Status=if(updated="Non-Reporting",1,0) | rangemap field=Status low=0-0 severe=1-1 |rename splunk_server AS Server | stats list(role) AS Role values(range) AS Status values(cpu_system_pct) AS "CPU System Utilized" values(cpu_user_pct) AS "CPU User Utilized" values(os_name) AS OS values(numberOfCores) AS "Cores" values(physicalMemoryMB) AS "Avail Mem (MB)" values(mb_mem_used) AS "Mem Utilized (MB)" values(guid) AS guid values(version) AS Version by Server | table Status Server Role OS Cores "Avail Mem (MB)" "CPU System Utilized" "CPU User Utilized" "Mem Utilized (MB)" Version guid | sort - Status "CPU System Utilized" "CPU User Utilized"| fillnull value="Non-Reporting" "Mem Utilized (MB)" "CPU System Utilized" "CPU User Utilized" + @d + now + + + + + + true + $row.Server$ + + + +
+ + + + Forwarder Status + index=_internal source="*splunkd.log" NOT [| inputlookup all_servers.csv | fields host] | eval current=now() | eval age=round((current-_time)/60,2) | stats latest(current) AS "Current Time" latest(_time) AS "Latest Event" min(age) AS Age by host | convert ctime("Latest Event") ctime("Current Time") | sort -Age | rangemap default=severe field=Age low=0-10 | rename host AS Forwarder Age AS "Communicated Minutes Ago" range AS Status | table Status Forwarder "Current Time" "Latest Event" "Communicated Minutes Ago" | sort - Status " Communicated Minutes Ago" + -4h@m + now + + + + + true + $row.Forwarder$ + + + +
+ + + + + + Average CPU Utilization by $host$ + + | tstats avg(Introspection.data.cpu_system_pct) AS cpu_system_pct avg(Introspection.data.cpu_user_pct) AS cpu_user_pct FROM datamodel=Introspection_Usage WHERE nodename=Introspection.Hostwide_Resource_Usage host=$host$ GROUPBY _time | timechart avg(cpu_system_pct) AS "% CPU System" avg(cpu_user_pct) AS "% CPU User" + $time.earliest$ + $time.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + System Load Average by $host$ + | tstats max(Introspection.data.normalized_load_avg_1min) AS load FROM datamodel=Introspection_Usage WHERE nodename=Introspection.Hostwide_Resource_Usage host=$host$ GROUPBY _time | timechart max(load) AS "Load Average" + $time.earliest$ + $time.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + Memory Usage by $host$ + | tstats avg(Introspection.data.mem_used) AS mem_used avg(Introspection.data.swap_used) AS swap_used FROM datamodel=Introspection_Usage WHERE nodename=Introspection.Hostwide_Resource_Usage host=$host$ GROUPBY _time | timechart avg(mem_used) AS "MB Average" avg(swap_used) AS "MB Swap" + $time.earliest$ + $time.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Data Feed Status + + | metadata type=sourcetypes index=* |search [inputlookup avail_indexes.csv | fields sourcetype ] | sort - totalCount |eval description=description + " (" + sourcetype + ")" | eval delta=now()-recentTime | rangemap default=severe field=delta low=0-1800 | convert ctime(recentTime) AS "Last Indexed" | table range, sourcetype, "Last Indexed", totalCount | eval totalCount=tostring(totalCount, "commas") | rename totalCount AS Events, range AS Status | sort - Status + -30d@d + now + + + + + + +
+ + + + + + Splunk Internal Warning and Error Messages + index=_internal source="*splunkd.log" log_level!=INFO | timechart limit=15 count by component + $time.earliest$ + $time.latest$ + + + + + + + + + + + + + + + + + + + + + + + + $start$ + $end$ + + + + + + + + + Host + Message + component, log_level, message + + + Splunk Internal Message Detail + index=_internal source="*splunkd.log" log_level!=INFO | stats last(_time) AS "First Occurrence" first(_time) AS "Latest Occurrence" count by $grouping$ | rename host AS Server component AS Component log_level AS "Log Level" message AS Message | sort - count | convert ctime("Latest Occurrence") ctime("First Occurrence") + $selection.earliest$ + $selection.latest$ + + + + + +
+ + +
diff --git a/apps/splunk_health_overview/default/data/ui/views/indexes.xml b/apps/splunk_health_overview/default/data/ui/views/indexes.xml new file mode 100644 index 00000000..3ac59400 --- /dev/null +++ b/apps/splunk_health_overview/default/data/ui/views/indexes.xml @@ -0,0 +1,112 @@ +
+ + + + + + Indexes Available to Search + |inputlookup avail_indexes.csv | join type=left sourcetype [|metadata type=sourcetypes index=* | convert ctime(*Time)] | eval totalCount = tostring(totalCount, "commas") | stats list(sourcetype) AS Sourcetype values(retention) AS "Retention Periond (Days)" list(lastTime) AS "Latest Event" list(totalCount) AS "Total Count" by Index + 0 + + + + + + + + /app/search/search/?q=search index%3D$row.Index$ + /app/search/search/?q=search index%3D$row.Index$ sourcetype%3D$click.value2$ + /app/search/search/?q=search index%3D$row.Index$ + /app/search/search/?q=search index%3D$row.Index$ + /app/search/search/?q=search index%3D$row.Index$ + /app/search/search/?q=search index%3D$row.Index$ + +
+ + + + + + + + -30d@d + now + + + + + + |inputlookup avail_indexes.csv | dedup Index | sort + Index + + Index + Index + true + + + Event Count Distribution by Index/Sourcetype + + | tstats count WHERE index=$index_name$ GROUPBY sourcetype, _time span=1d | timechart span=1d sum(count) by sourcetype + $time.earliest$ + $time.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + |inputlookup avail_indexes.csv | dedup Index | sort + Index + All + * + + + Host Statistics in Index: $index$ + + |metadata type=hosts index=$index$ | convert ctime(*Time) | eval totalCount = tostring(totalCount, "commas") | rename firstTime AS "Earliest Event" lastTime AS "Latest Event" totalCount AS "Event Count" | fields host "Earliest Event" "Latest Event" "Event Count" | sort - "Latest Event" + -30d@d + now + + + + + + + + + + + + + /app/search/search/?q=search index%3D$index$%20host=$row.host$ + /app/search/search/?q=search index%3D$index$%20host=$row.host$ + /app/search/search/?q=search index%3D$index$%20host=$row.host$ + /app/search/search/?q=search index%3D$index$%20host=$row.host$ + + + +
+ + +
\ No newline at end of file diff --git a/apps/splunk_health_overview/default/data/ui/views/indexes_and_fields.xml b/apps/splunk_health_overview/default/data/ui/views/indexes_and_fields.xml new file mode 100644 index 00000000..46a49243 --- /dev/null +++ b/apps/splunk_health_overview/default/data/ui/views/indexes_and_fields.xml @@ -0,0 +1,33 @@ +
+ + +
+ + + | tstats values(sourcetype) AS st where index=* by index | fields - st + + + + | tstats values(sourcetype) AS st where index=$index$ by sourcetype | fields - st + +
+ + + + Available Fields and Values for Index: $index$ and Sourcetype: $sourcetype$ + index=$index$ sourcetype=$sourcetype$ | fieldsummary maxvals=1 | rex field=values "value\"\:\"(?<Sample_Value>.+)\"\," | eval index="$index$" | eval sourcetype="$sourcetype$" | where Sample_Value!="" |fields field Sample_Value index sourcetype | stats list(field) AS "Field Name" list(Sample_Value) AS "Sample Value" by index sourcetype + -24h + now + + + + + /app/search/search/?q=search index%3D$row.index$ earliest=-15m + /app/search/search/?q=search index%3D$row.index$ sourcetype%3D$sourcetype$ earliest=-15m + /app/search/search/?q=search index%3D$row.index$ sourcetype%3D$sourcetype$ earliest=-15m + /app/search/search/?q=search index%3D$row.index$ sourcetype%3D$sourcetype$ earliest=-15m + +
+ + + \ No newline at end of file diff --git a/apps/splunk_health_overview/default/data/ui/views/license_usage.xml b/apps/splunk_health_overview/default/data/ui/views/license_usage.xml new file mode 100644 index 00000000..8e69f990 --- /dev/null +++ b/apps/splunk_health_overview/default/data/ui/views/license_usage.xml @@ -0,0 +1,278 @@ +
+ + +
+ + + Internal_Log_Events.idx + Index + Sourcetype + Host + +
+ + + +
+

This dashboard is intended to show the overall status of license utilization across the different Splunk servers and data types.

The dashboard provides a high level overview of overall license used today, by index, and trending over time by index/environment option. To gain deeper insights into Splunk's license and data volume consumption reference eitherFireBrigadeorS.o.S Splunk on Splunk.

+ + + + + + + Todays Overall License Usage (GB) + | tstats summariesonly=false sum(Internal_Log_Events.b) AS bytes from datamodel="Internal_Events" GROUPBY Internal_Log_Events.idx | eval gb=round(bytes/1024/1024/1024,2) | stats sum(gb) AS "Total GB" + @d + now + + + + + + + + + + + + + + + + + + + + + + + + + + + + Total GB Ingested Today + | tstats summariesonly=false sum(Internal_Log_Events.b) AS bytes from datamodel="Internal_Events" WHERE [inputlookup all_servers.csv | search role=indexer | rename guid AS "Internal_Log_Events.i"| fields Internal_Log_Events.i] GROUPBY $type$ | eval gb=round(bytes/1024/1024/1024,2) | stats sum(gb) AS "Total GB" by $type$ | rename Internal_Log_Events.idx AS Index Internal_Log_Events.st AS "Source Type" Internal_Log_Events.h AS Host | sort - "Total GB" + @d + now + + + + + + + + + + + + +
+ + + + Week on Week Usage - Current Day is Partial + | tstats summariesonly=true sum(Internal_Log_Events.b) AS bytes from datamodel="Internal_Events" WHERE [inputlookup all_servers.csv | search role=indexer | rename guid AS "Internal_Log_Events.i"| fields Internal_Log_Events.i] GROUPBY _time | eval marker=case( _time < relative_time(now(), "-1w@w"), "Two Weeks Ago", _time < relative_time(now(), "@w"), "Last Week", true(), "This Week") | eval _time=case( _time < relative_time(now(), "-1w@w"), _time+2*7*86400, _time < relative_time(now(), "@w"), _time+7*86400, true(), _time) | eval gb=bytes / 1024 / 1024 / 1024 | chart sum(gb) AS gbytes OVER _time BY marker | fieldformat _time=strftime(_time, "%A") + -2w@w + now + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Todays Overall Ingestion by Index/Indexer (GB) + |tstats summariesonly=false sum(Internal_Log_Events.b) AS bytes from datamodel="Internal_Events" WHERE [inputlookup all_servers.csv | search role=indexer | rename guid AS "Internal_Log_Events.i"| fields Internal_Log_Events.i] GROUPBY _time $type$ Internal_Log_Events.i span=auto | eval gb=round(bytes/1024/1024/1024,2) | lookup all_servers.csv guid AS "Internal_Log_Events.i" OUTPUTNEW host | chart sum(gb) over host by $type$ + @d + now + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Event Count Ingested by Indexing Delay(s) - Today + | tstats count max(_time) as t max(_indextime) as it where index=* by _time | eval delay=it-t | timechart sum(count) avg(delay) as delay(s) + @d + now + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Matrix Overview - Index Capacity/Usage + | rest /services/data/indexes search="totalEventCount!=0" | eval coldPath.maxDataSizeMB=if('coldPath.maxDataSizeMB' = 0, null(), 'coldPath.maxDataSizeMB') | eval homePath.maxDataSizeMB=if('homePath.maxDataSizeMB' = 0, null(), 'homePath.maxDataSizeMB') | eval roof=min((coalesce('homePath.maxDataSizeMB', 4294967295) + coalesce('coldPath.maxDataSizeMB', 4294967295)), maxTotalDataSizeMB) | eval span=tostring(currentDBSizeMB) + " / " + tostring(roof) + " MB" | eval Percent=tostring(round(currentDBSizeMB * 100 / roof)) + "%"| search [inputlookup all_servers.csv | search role=indexer | rename host AS splunk_server | fields splunk_server] | stats first(span) AS "Capacity vs Limit" by splunk_server title minTime maxTime Percent | rename splunk_server AS Indexer title AS Index minTime AS "Oldest Event" maxTime AS "Newest Event" | table Indexer Index "Capacity vs Limit" "Oldest Event" "Newest Event" Percent | sort - Percent + 0 + now + + + + + +
+ + + + Disk Usage + | tstats max(Introspection.Disk_Objects.Capacity) AS Capacity max(Introspection.Disk_Objects.Avail) AS Avail max(Introspection.Disk_Objects.Used) AS Used max(Introspection.Disk_Objects.UsedPct) AS UsedPct FROM datamodel=Introspection_Usage WHERE nodename=Introspection.Disk_Objects [inputlookup all_servers.csv | fields host] GROUPBY _time host Introspection.data.mount_point | eventstats max(_time) AS latest by host | where _time=latest | lookup all_servers.csv host OUTPUT role | rename Introspection.data.mount_point AS Mount role AS Role |table host Role Mount Capacity Avail Used UsedPct | sort - UsedPct + @d + now + + + + + +
+ + + \ No newline at end of file diff --git a/apps/splunk_health_overview/default/data/ui/views/resource_usage.xml b/apps/splunk_health_overview/default/data/ui/views/resource_usage.xml new file mode 100644 index 00000000..5ee6c254 --- /dev/null +++ b/apps/splunk_health_overview/default/data/ui/views/resource_usage.xml @@ -0,0 +1,210 @@ +
+ +
+ + + + @d + now + + + + + All + host + host + * + host= + OR + |inputlookup all_servers.csv | dedup host | fields host | sort + host + +
+ + + + Current Resource Usage + |inputlookup all_servers.csv | eval splunk_server=host | join type=left splunk_server [|rest /services/server/info] | join type=left splunk_server [| rest /services/server/status/resource-usage/hostwide | eval pct_cpu_used=(100-cpu_idle_pct)."%" | eval mb_mem_used=round(mem_used,2) | fields splunk_server cpu_system_pct cpu_user_pct mb_mem_used] | fillnull value="Non-Reporting" |rename splunk_server AS Server | stats list(role) AS Role values(cpu_system_pct) AS "CPU System Utilized" values(cpu_user_pct) AS "CPU User Utilized" values(os_name) AS OS values(numberOfCores) AS "Cores" values(physicalMemoryMB) AS "Avail Mem (MB)" values(mb_mem_used) AS "Mem Utilized (MB)" by Server | table Server Role OS Cores "Avail Mem (MB)" "CPU System Utilized" "CPU User Utilized" "Mem Utilized (MB)" | sort - "CPU System Utilized" "CPU User Utilized" | fillnull value="Non-Reporting" "Mem Utilized (MB)" "CPU System Utilized" "CPU User Utilized" + @d + now + + + + + +
+ + + + Current Disk Usage by Host/Mount + | tstats max(Introspection.Disk_Objects.Capacity) AS Capacity max(Introspection.Disk_Objects.Avail) AS Avail max(Introspection.Disk_Objects.Used) AS Used max(Introspection.Disk_Objects.UsedPct) AS UsedPct FROM datamodel=Introspection_Usage WHERE nodename=Introspection.Disk_Objects $hosts$ GROUPBY _time host Introspection.data.mount_point | eventstats max(_time) AS latest by host | where _time=latest | lookup all_servers.csv host OUTPUT role | rename Introspection.data.mount_point AS Mount role AS Role |table host Role Mount Capacity Avail Used UsedPct | sort - UsedPct + @d + now + + + + + $row.host$ + + + +
+ + + + + + Today's Resource Usage by PID/Host + index=_introspection component=PerProcess $hosts$| stats earliest(_time) AS "Earliest Occurrence" latest(_time) AS "Latest Occurrence" max(data.fd_used) AS "File Descriptors Used" avg(data.mem_used) AS "Mem Used" avg(data.pct_memory) AS "Avg % Mem" avg(data.pct_cpu) AS "Avg % CPU" by data.pid data.ppid data.process host | eval "Runtime Min"=('Latest Occurrence'-'Earliest Occurrence')/60 | convert ctime(*Occurrence) | rename data.pid AS PID data.ppid AS "Parent PID" data.process AS Process | table "Earliest Occurrence" "Latest Occurrence" host PID "Parent PID" Process "File Descriptors Used" "Mem Used" "Avg % Mem" "Avg % CPU" "Runtime Min" | sort - "Avg % CPU" "Avg % Mem" + @d + now + + + + + +
+ + + + + + System Load Average by Host + | tstats max(Introspection.data.normalized_load_avg_1min) AS load FROM datamodel=Introspection_Usage WHERE nodename=Introspection.Hostwide_Resource_Usage $hosts$ GROUPBY _time host | timechart max(load) AS "Load Average" by host + $time2.earliest$ + $time2.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + % CPU by Host + | tstats avg(Introspection.data.cpu_user_pct) AS pct_cpu_user FROM datamodel=Introspection_Usage WHERE nodename=Introspection.Hostwide_Resource_Usage $hosts$ GROUPBY _time host | timechart avg(pct_cpu_user) AS "% CPU User Used" by host + $time2.earliest$ + $time2.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + Memory Usage MB by Host + | tstats avg(Introspection.data.mem_used) AS mem_used avg(Introspection.data.swap_used) AS swap_used FROM datamodel=Introspection_Usage WHERE nodename=Introspection.Hostwide_Resource_Usage $hosts$ GROUPBY _time host | timechart avg(mem_used) AS "MB Average" by host + $time2.earliest$ + $time2.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + -30d@d + now + + + + + true + |inputlookup all_servers.csv | dedup host | fields host | sort + host + host + host + + + Disk Usage % by Host/Mount Over Time - $host$ + | tstats max(Introspection.Disk_Objects.UsedPct) AS UsedPct FROM datamodel=Introspection_Usage WHERE nodename=Introspection.Disk_Objects host=$host$ GROUPBY _time host Introspection.data.mount_point | rename Introspection.data.mount_point AS Mount | timechart max(UsedPct) As UsedPct by Mount + $time.earliest$ + $time.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + +
diff --git a/apps/splunk_health_overview/default/data/ui/views/saved_search_detail.xml b/apps/splunk_health_overview/default/data/ui/views/saved_search_detail.xml new file mode 100644 index 00000000..aa0079ff --- /dev/null +++ b/apps/splunk_health_overview/default/data/ui/views/saved_search_detail.xml @@ -0,0 +1,168 @@ +
+ + +
+ + + * + + + + Any + | rest /servicesNS/-/-/apps/local | search visible=1 | dedup title | fields title label | sort label + * + + + + Any + nobody + |rest /services/authentication/users splunk_server=local + |fields title realname | eval name=if(realname="",title,realname) | sort + name + * + + + + All + Yes + No + * + + + + All + Enabled + Disabled + * + +
+ + + + | rest /servicesNS/-/-/saved/searches splunk_server=local | eval state=if(disabled=0,"Enabled","Disabled") | eval is_scheduled=if(is_scheduled=1,"Yes","No") | rename title AS savedsearch_name | fields cron_schedule state is_scheduled savedsearch_name search dispatch.earliest_time dispatch.latest_time | stats count + 0 + + + + + + + + + | rest /servicesNS/-/-/saved/searches splunk_server=local | eval state=if(disabled=0,"Enabled","Disabled") | eval is_scheduled=if(is_scheduled=1,"Yes","No") | rename title AS savedsearch_name | fields cron_schedule state is_scheduled savedsearch_name search dispatch.earliest_time dispatch.latest_time | search state=Enabled is_scheduled=Yes| stats count + 0 + + + + + + + + + | rest /servicesNS/-/-/saved/searches splunk_server=local | eval state=if(disabled=0,"Enabled","Disabled") | eval is_scheduled=if(is_scheduled=1,"Yes","No") | rename title AS savedsearch_name | fields cron_schedule state is_scheduled savedsearch_name search dispatch.earliest_time dispatch.latest_time | search state=Enabled is_scheduled=No | stats count + 0 + + + + + + + + + | rest /servicesNS/-/-/saved/searches splunk_server=local | eval state=if(disabled=0,"Enabled","Disabled") | eval is_scheduled=if(is_scheduled=1,"Yes","No") | rename title AS savedsearch_name | fields cron_schedule state is_scheduled savedsearch_name search dispatch.earliest_time dispatch.latest_time | search state=Disabled | stats count + 0 + + + + + + + + + + + Search Status by Application + | rest /servicesNS/-/-/saved/searches splunk_server=local | eval state=if(disabled=0,"Enabled","Disabled") | eval is_scheduled=if(is_scheduled=1,"Yes","No") | rename title AS savedsearch_name | fields cron_schedule state is_scheduled savedsearch_name search dispatch.earliest_time dispatch.latest_time eai:acl.app | rename eai:acl.app as app | eval status="State: ".state." / Scheduled: ".is_scheduled | chart count over app by status + 0 + + + + + + + + + + + + + + + + + + + + + + + + + Saved Searches by User + | rest /servicesNS/-/-/saved/searches splunk_server=local | eval state=if(disabled=0,"Enabled","Disabled") | eval is_scheduled=if(is_scheduled=1,"Yes","No") | rename title AS savedsearch_name | fields cron_schedule state is_scheduled savedsearch_name search dispatch.earliest_time dispatch.latest_time eai:acl.app eai:acl.owner | rename eai:acl.owner AS title | join title type=outer [|rest /services/authentication/users splunk_server=local |fields title realname | eval user=if(realname="",title,realname)] | eval user=case(title="nobody","No Owner Specified - this is OK",isnotnull(title) AND isnull(user),"Investigate - User Possibly No Longer Exists",1=1, user) | chart count by user + 0 + + + + + + + + + + + + + + + + + + + + + + + + + + Saved Search Execution Details + | inputlookup savedsearch_runtimes.csv | sort last_time | convert ctime(*_time) | rename first_time AS "First Run Time" last_time AS "Latest Run Time" | join savedsearch_name type=outer [| rest /servicesNS/-/-/saved/searches | eval State=if(disabled=0,"Enabled","Disabled") | eval Scheduled=if(is_scheduled=1,"Yes","No") | fields title eai:acl.app eai:acl.owner cron_schedule dispatch.earliest_time dispatch.latest_time search State Scheduled | rename title AS savedsearch_name eai:acl.app AS App eai:acl.owner AS User cron_schedule AS "Cron Schedule" dispatch.earliest_time AS "Dispatch Earliest Time" dispatch.latest_time AS "Dispatch Latest Time"] | rename savedsearch_name AS Search | table Search App User "Avg Runtime" "Max Runtime" Scheduled State "First Run Time" "Latest Run Time" "Dispatch Earliest Time" "Dispatch Latest Time" | search Search=$search$* App=$app$ User=$user$ Scheduled=$scheduled$ State=$state$ + 0 + + + + + + +
+ + + + + + Inactive Searches To Be Investigated + | rest /servicesNS/-/-/saved/searches splunk_server=local | search NOT [|inputlookup savedsearch_runtimes.csv | rename savedsearch_name AS title | fields title] | eval +State=if(disabled=0,"Enabled","Disabled") | eval +Scheduled=if(is_scheduled=1,"Yes","No") | fields title eai:acl.app eai:acl.owner cron_schedule dispatch.earliest_time dispatch.latest_time search State Scheduled | rename title AS +savedsearch_name eai:acl.app AS App eai:acl.owner AS User cron_schedule AS "Cron Schedule" dispatch.earliest_time AS "Dispatch Earliest Time" dispatch.latest_time AS "Dispatch Latest Time" + 0 + + + + + + +
+ + + diff --git a/apps/splunk_health_overview/default/data/ui/views/scheduler_activity.xml b/apps/splunk_health_overview/default/data/ui/views/scheduler_activity.xml new file mode 100644 index 00000000..bd5de09e --- /dev/null +++ b/apps/splunk_health_overview/default/data/ui/views/scheduler_activity.xml @@ -0,0 +1,189 @@ +
+ + +
+ + + true + + |inputlookup all_servers.csv | search role=*search* | dedup host | fields host | sort + host + + host= + host + host + + + + + @d + now + + +
+ + + +
+

This dashboard is intended to illustrate scheduled search activity and usage across your different Splunk Search Head(s). +

Use the input to choose the Search Head you would like to include results from and the timerange picker to select the dates. +

+ + + + + + + Scheduler Activity + index=_internal $host$ source=*scheduler.log app="*" savedsearch_name="*" | stats min(run_time) as "Min runtime (seconds)", median(run_time) as median_runtime, max(run_time) as max_runtime, count(eval(status!="continued")) AS total_exec, count(eval(status=="success")) as "Successful executions", count(eval(status=="skipped")) AS "Skipped executions" by app, savedsearch_name, user host | stats first(*) as * by savedsearch_name | eval interval_usage_ratio=round((median_runtime/schedule_period),2) | search total_exec>0 | rename app AS App median_runtime AS "Median runtime (seconds)" max_runtime AS "Max runtime (seconds)" savedsearch_name AS "Scheduled search name" user AS User total_exec AS "Total executions" | table host App "Scheduled search name" User "Min runtime (seconds)" "Median runtime (seconds)" "Max runtime (seconds)" "Total executions" "Successful executions" "Skipped executions" | sort - "Median runtime (seconds)" "Total executions" + $time.earliest$ + $time.latest$ + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + Scheduler Execution + index=_internal $host$ source=*metrics.log group=searchscheduler | timechart partial=false sum(dispatched) AS Started, sum(skipped) AS Skipped | appendcols [search index=_internal $host$ sourcetype=scheduler status=continued | eval savedsearch_id_scheduled_time=savedsearch_id."-".scheduled_time | timechart dc(savedsearch_id_scheduled_time) AS Deferred] + $time.earliest$ + $time.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + Skipped Scheduled Searches + index=_internal $host$ source=*scheduler.log savedsplunker status=skipped | stats count by host savedsearch_name, app, user | sort - SkipCount | rename savedsearch_name AS "Scheduled search name" count AS "Skip count" host AS Server + $time.earliest$ + $time.latest$ + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + Execution Count by Saved Search + index=_internal $host$ source=*scheduler.log status="*" AND status!="continued" | timechart count by savedsearch_name + $time.earliest$ + $time.latest$ + + + + + + + + + + + + + + + + + + + + + + + + Most Active Searches - Top 10 + | rest splunk_server=* /servicesNS/-/-/admin/savedsearch/ earliest_time=-0s@s latest_time=+2d@d search="is_scheduled=1" search="disabled=0" | table splunk_server eai:acl.app eai:acl.owner cron_schedule title scheduled_times | mvexpand scheduled_times | rename scheduled_times as _time eai:acl.app as app eai:acl.owner as user title as search | stats count(search) as count by search cron_schedule app | sort 10 -count + 0 + + + + +
+ + + + + + Scheduler Errors + index=_internal $host$ source=*scheduler.log error OR warn + $time.earliest$ + $time.latest$ + + + + + + + + + + + ["host","source","sourcetype"] + + + +
diff --git a/apps/splunk_health_overview/default/data/ui/views/search_activity.xml b/apps/splunk_health_overview/default/data/ui/views/search_activity.xml new file mode 100644 index 00000000..c37683ce --- /dev/null +++ b/apps/splunk_health_overview/default/data/ui/views/search_activity.xml @@ -0,0 +1,308 @@ +
+ + +
+ + + true + |inputlookup all_servers.csv | search role=*search* | dedup host| sort + host + host= + host + host + + + + + @d + now + + +
+ + + +
+

This dashboard is intended to illustrate search activity and usage on the Splunk Search Head(s) in your environment. +

Additionally, you can select a range on the CPU utilization graph to narrow down a time range to filter the other panels in the dashboard to identify correlations. +

The Search Window Statistics table below illustrates different searches ran for a selected period of time. I.e a user selected a search to run for the last 15 Minutes or 30 Days and the panel displays how many searches were executed or cumulative/average execution time during that time frame by index or user. +

+ + + + + + + Peak Historical Search Concurrency by Host - Adhoc and Scheduled + index=_internal $host$ source=*metrics.log group=search_concurrency "system total" NOT user=* | timechart max(active_hist_searches) by host + $time.earliest$ + $time.latest$ + + + + + + + + + + + + + + + + + + + + + + $start$ + $end$ + + + + + + + + + Peak Real-Time Search Concurrency by Host - Adhoc and Scheduled + index=_internal $host$ source=*metrics.log group=search_concurrency "system total" NOT user=* | timechart max(active_realtime_searches) by host + $time.earliest$ + $time.latest$ + + + + + + + + + + + + + + + + + + + + + + $start$ + $end$ + + + + + + + + + + + Avg % CPU Utilization by Process + | tstats max(Introspection.data.pct_cpu) AS pct_cpu FROM datamodel=Introspection_Usage WHERE nodename=Introspection.PerProcess_Resource_Usage $host$ GROUPBY _time Introspection.data.process | rename Introspection.data.process AS process | timechart avg(pct_cpu) by process + $time.earliest$ + $time.latest$ + + + + + + + + + + + + + + + + + + + + $start$ + $end$ + + + + + + + + + + + Avg % Memory Utilization by Process + | tstats max(Introspection.data.pct_memory) AS pct_memory FROM datamodel=Introspection_Usage WHERE nodename=Introspection.PerProcess_Resource_Usage $host$ GROUPBY _time Introspection.data.process | rename Introspection.data.process AS process | timechart avg(pct_memory) by process + $time.earliest$ + $time.latest$ + + + + + + + + + + + + + + + + + + + + + + $start$ + $end$ + + + + + + + + + + + Search Duration Histogram by Search Head + index=_audit $host$ action=search user!=splunk-system-user search_id=* (info=granted OR info=completed) | eval run_time_min=round(total_run_time/60,2) | stats earliest(_time) AS "Start Time" latest(_time) AS "End Time" count values(search) AS Search values(user) AS User max(run_time_min) AS run_time_min by search_id host | convert ctime(*Time) | where count>1 | fields - count | rename search_id AS SID | bucket run_time_min span=5 | chart count over run_time_min by host | rename run_time_min AS "Run Time (Minutes)" + $selection.earliest$ + $selection.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + Search Count and Average Run Time + index=_audit $host$ action=search user!=splunk-system-user search_id=* info=completed | eval run_time_min=round(total_run_time/60,2) | timechart span=1h count AS "Search Count" avg(run_time_min) AS "Run Time Min" + $selection.earliest$ + $selection.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Searches and Run Time + index=_audit $host$ action=search user!=splunk-system-user search_id=* (info=granted OR info=completed) |rex field=apiStartTime "'(?<start_time>[^']+)'" |rex field=apiEndTime "'(?<end_time>[^']+)'" | eval search_id = trim(if(isnull(search_id), id, search_id), "'") | eval run_time_min=round(total_run_time/60,2) |eval range=if(start_time=="ZERO_TIME","All Time", tostring(strptime(end_time, "%a %b %d %H:%M:%S %Y") - strptime(start_time, "%a %b %d %H:%M:%S %Y"),"duration")) | stats earliest(_time) AS "Start Time" latest(_time) AS "End Time" values(start_time) AS "Search Earliest" values(end_time) AS "Search Latest" count values(range) AS range values(search) AS Search values(user) AS User max(run_time_min) AS "Run Time (Min)" by search_id | convert ctime(*Time) | where count>1 | rename search_id AS SID range AS "Search Range" | table "Start Time" "End Time" SID Search User "Run Time (Min)" "Search Range" "Search Earliest" "Search Latest"| sort - "Run Time (Min)" + $selection.earliest$ + $selection.latest$ + + + + + + + + + + +
+ + + + + + + Index + User + Index + + + + Sum of Duration (Minutes) + Average Duration (Minutes) + Count of Searches + count + + + Search Window Statistics by $split$ + index=_audit $host$ action=search search=* |rex field=apiStartTime "'(?<start_time>[^']+)'" |rex field=_raw "[^\_]index=\"?(?<Index>[\_a-zA-Z\-\:]{2,})\"?" |eval Index=lower(Index) |search Index!="|history" Index!="|metadata" Index!="|dbinspect" |eval ctime = _time | join search_id [search index=_audit action=search info=completed total_run_time=* | eval run_time_min=total_run_time/60 | fields run_time_min search_id user] |eval range=case( start_time=="ZERO_TIME","All Time", start_time!="ZERO_TIME" AND ctime - strptime(start_time, "%a %b %d %H:%M:%S %Y") <= 300, "5 Minutes", start_time!="ZERO_TIME" AND ctime - strptime(start_time, "%a %b %d %H:%M:%S %Y") <= 900 AND ctime - strptime(start_time, "%a %b %d %H:%M:%S %Y") > 300, "15 Minutes", start_time!="ZERO_TIME" AND ctime - strptime(start_time, "%a %b %d %H:%M:%S %Y") <= 3600 AND ctime - strptime(start_time, "%a %b %d %H:%M:%S %Y") > 900, "1 Hour", start_time!="ZERO_TIME" AND ctime - strptime(start_time, "%a %b %d %H:%M:%S %Y") <= 14400 AND ctime - strptime(start_time, "%a %b %d %H:%M:%S %Y") > 3600, "4 Hours", start_time!="ZERO_TIME" AND ctime - strptime(start_time, "%a %b %d %H:%M:%S %Y") <= 86400 AND ctime - strptime(start_time, "%a %b %d %H:%M:%S %Y") > 14400, "1 Day", start_time!="ZERO_TIME" AND ctime - strptime(start_time, "%a %b %d %H:%M:%S %Y") <= 610000 AND ctime - strptime(start_time, "%a %b %d %H:%M:%S %Y") > 86400, "7 Days", start_time!="ZERO_TIME" AND ctime - strptime(start_time, "%a %b %d %H:%M:%S %Y") <= 2592000 AND ctime - strptime(start_time, "%a %b %d %H:%M:%S %Y") > 604800, "30 Days", start_time!="ZERO_TIME" AND ctime - strptime(start_time, "%a %b %d %H:%M:%S %Y") <= 3888000 AND ctime - strptime(start_time, "%a %b %d %H:%M:%S %Y") > 2592000, "45 Days", start_time!="ZERO_TIME" AND ctime - strptime(start_time, "%a %b %d %H:%M:%S %Y") > 3888000, "45 Days +", start_time==start_time, "Other") | eval Index=if(Index="","No Index Used in Search",Index) |eval user=if(user="","N/A",user) |chart limit=0 $value$ over $split$ by range | fields $split$ "5 Minutes" "15 Minutes" "1 Hour" "4 Hours" "1 Day" "7 Days" "30 Days" "45 Days" "45 Days +" "All Time" | fillnull $split$ "5 Minutes" "15 Minutes" "1 Hour" "4 Hours" "1 Day" "7 Days" "30 Days" "45 Days" "45 Days +" "All Time" | table $split$ "5 Minutes" "15 Minutes" "1 Hour" "4 Hours" "1 Day" "7 Days" "30 Days" "45 Days" "45 Days +" "All Time" | addtotals col=true | fillnull value=Total + $selection.earliest$ + $selection.latest$ + + + + + + + + + + + + +
+ + + + Usage by User + index=_audit $host$ action=search (id=* OR search_id=*) | eval search_id = if(isnull(search_id), id, search_id) | replace '*' with * in search_id | rex "search='(?<search>.*?)', autojoin" | search search_id!=scheduler_* | convert num(total_run_time) | rex "\,\s+user=(?<user>\S+)," | eval user = if(user="n/a", null(), user) | stats min(_time) as _time first(user) as user max(total_run_time) as total_run_time first(search) as search by search_id host | search search=search* search!=*_internal* search!=*_audit* | stats median(total_run_time) as "Median search time" perc95(total_run_time) as "95th Percentile search time" sum(total_run_time) as "Total search time" count as "Search count" max(_time) as "Last use" by user host | fieldformat "Last use" = strftime('Last use', "%F %T.%Q %:z") | rename host AS "Search Head" | sort - "Median search time" + $selection.earliest$ + $selection.latest$ + + + + + +
+ + +
diff --git a/apps/splunk_health_overview/default/data/ui/views/search_detail.xml b/apps/splunk_health_overview/default/data/ui/views/search_detail.xml new file mode 100644 index 00000000..def0ac55 --- /dev/null +++ b/apps/splunk_health_overview/default/data/ui/views/search_detail.xml @@ -0,0 +1,147 @@ +
+ + +
+ +
+ + | rest /services/search/jobs/ | search sid=$sid$ + + + + Total Jobs Found + + stats count + + + Adhoc Jobs Found + + stats count(eval(if(isSavedSearch=0, title, null()))) AS count + + + Scheduled Jobs Found + + stats count(eval(if(isSavedSearch=1,isSavedSearch,null()))) AS count + + + + + + Time Spent + + + + eval startup_time=coalesce('performance.dispatch.createProviderQueue.duration_secs', "None (no remotes)") + + + + + + eval local_wait=coalesce('performance.dispatch.fetch.duration_secs', 0) + + + + + + + + + + Search Space Consumption (bytes) + + + + + + + + + + stats sum(performance.dispatch.stream.remote.*.output_count) AS * by sid | transpose | search column!="sid" | stats sum(row 1) AS bytes + + + + Scanned Events + + + + + + + + + + eval rate=if(scanCount=0, "N/A", round(scanCount / runDuration, 2) . " E/s") + + + + + + Search String + + eval search=coalesce('request.search', eventSearch) + + + + + + Performance Histogram + + + + search dispatchState=DONE +| stats max(performance.command.search.index.*.invocations) AS * by sid +| fillnull value=0 usec_1_8, usec_8_64, usec_64_512, usec_512_4096, usec_4096_32768, usec_32768_262144, usec_262144_inf +| eval total=usec_1_8 + usec_8_64 + usec_64_512 + usec_512_4096 + usec_4096_32768 + usec_32768_262144 + usec_262144_inf +| search total> 0 +| table sid, usec_262144_inf, usec_32768_262144, usec_4096_32768, usec_512_4096, usec_64_512, usec_8_64, usec_1_8 + + + + Time spent in commands + + + stats max(performance.command.*.duration_secs) AS *, max(performance.command.search.*.duration_secs) AS * | transpose | rename column AS command, "row 1" as time + + + + + + Bytes Returned From Indexers + + + search dispatchState=DONE + | stats max(performance.dispatch.stream.remote.*.output_count) AS * by sid + | table sid, * + + + + Ratio of Bytes Returned vs. Time + + + + + + .+?)\.(?[^\.]+)$" +| eval sid=if(column="sid", 'row 1', null()) +| filldown sid +| eval {metric}='row 1' +| stats max(duration_secs) AS duration_secs + max(output_count) AS output_count + by sid, hostname +| eval bytes_per_sec=round(output_count / duration_secs, 2) +| chart max(bytes_per_sec) over hostname by sid]]> + + + + + + Job Details + transpose +
+ + + +
diff --git a/apps/splunk_health_overview/default/data/ui/views/user_activity.xml b/apps/splunk_health_overview/default/data/ui/views/user_activity.xml new file mode 100644 index 00000000..7a8bdcbc --- /dev/null +++ b/apps/splunk_health_overview/default/data/ui/views/user_activity.xml @@ -0,0 +1,169 @@ +
+ + +
+ + + true + |inputlookup all_servers.csv | search role=*search* | dedup host| fields host | sort + host + host + host + + + + + @d + now + + +
+ + + +
+

This dashboard is intended to illustrate user activity and usage across your Splunk Search Head(s). +

Use the input to choose the Search Heads you would like to include results from and the timerange picker to select the dates. + + +

+ + + + + + + Users Currently Logged In + + | rest splunk_server=* /services/authentication/httpauth-tokens | search userName!=splunk-system-user |stats max(updated) AS "Last Activity" values(splunk_server) AS Host by userName | rename userName AS User + $time.earliest$ + $time.latest$ + + + + + + +
+ + + + + + Unique User Activity Per Search Head + index=_internal host=$host$ sourcetype=splunkd_access "/services/search/jobs" | kv access-extractions | search uri=/services/search/jobs/* user!="-"| timechart dc(user) by host + $time.earliest$ + $time.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + Search Activity Run-Time by Host + index=_internal host=$host$ sourcetype=splunkd_access "/services/search/jobs" | kv access-extractions | search uri=/services/search/jobs/* user!="-"| rex "(?<run_time>\d+)ms" | timechart eval(sum(run_time)/1000) by host + $time.earliest$ + $time.latest$ + + + + + + + + + + + + + + + + + + + + + + + + + + + @mon + now + + + + Total Unique Users Active in Splunk + index=_internal sourcetype=splunkd_access "/services/search/jobs" user!=splunk-system-user | kv access-extractions |search uri=/services/search/jobs/* user!="-"| stats dc(user) AS "Unique Users" by host | rename host AS "Search Head" | addcoltotals | sort - "Unique Users" | fillnull value=Total + $field3.earliest$ + $field3.latest$ + + + + + +
+ + + + + + View Hits Over Time + index=_internal host=$host$ source=*web_access.log* /app/ | rex "GET /[^/]+/app/(?<app_view>[^/ ?]+/[^/ ?]+) " | timechart limit=15 usenull=f count by app_view + $time.earliest$ + $time.latest$ + + + + + + + + + + + + + + + + + + + + + + + + Top Visited Views + index=_internal host=$host$ source=*web_access.log* /app/ | rex "GET /[^/]+/app/(?<app_view>[^/ ?]+/[^/ ?]+) " | rename app_view AS "App View" | top limit=20 host "App View" + $time.earliest$ + $time.latest$ + + + + + +
+ + +
diff --git a/apps/splunk_health_overview/default/datamodels.conf b/apps/splunk_health_overview/default/datamodels.conf new file mode 100644 index 00000000..ce1dacec --- /dev/null +++ b/apps/splunk_health_overview/default/datamodels.conf @@ -0,0 +1,7 @@ +[Internal_Events] +acceleration = 1 +acceleration.earliest_time = -1mon + +[Introspection_Usage] +acceleration = 1 +acceleration.earliest_time = -1mon diff --git a/apps/splunk_health_overview/default/savedsearches.conf b/apps/splunk_health_overview/default/savedsearches.conf new file mode 100644 index 00000000..1a89d6b6 --- /dev/null +++ b/apps/splunk_health_overview/default/savedsearches.conf @@ -0,0 +1,50 @@ +[avail_indexes] +alert.digest_mode = True +alert.suppress = 0 +alert.track = 0 +auto_summarize.dispatch.earliest_time = -1d@h +cron_schedule = 0 0 * * 6 +dispatch.earliest_time = -30d +dispatch.latest_time = now +disabled = false +enableSched = 1 +search = | tstats values(sourcetype) AS sourcetype where index=* by index | mvexpand sourcetype | rename index AS title | join type=left title [| rest /services/data/indexes | eval retention=frozenTimePeriodInSecs/60/60/24 | stats min(retention) AS retention by title] | rename title AS Index | table Index sourcetype retention | sort + Index | outputlookup avail_indexes.csv +run_on_startup = true + + +[server_lookup] +alert.digest_mode = True +alert.suppress = 0 +alert.track = 0 +auto_summarize.dispatch.earliest_time = -1d@h +cron_schedule = 0 0 * * 6 +disabled = false +dispatch.earliest_time = 0 +dispatch.latest_time = +enableSched = 1 +search = | rest splunk_server=* /services/server/info | mvexpand server_roles | search server_roles!=search_peer | rename server_roles AS role splunk_server AS host | table host guid role version | outputlookup all_servers.csv +run_on_startup = true + +[server_lookup_v6_1] +alert.digest_mode = True +alert.suppress = 0 +alert.track = 0 +auto_summarize.dispatch.earliest_time = -1d@h +cron_schedule = 0 0 * * 6 +disabled = true +dispatch.earliest_time = -30d@d +dispatch.latest_time = now +enableSched = 1 +search = index=_internal sourcetype=splunkd component=ServerRoles role!=license_slave* role!=search_peer* |rex field=role "(?\S+)\." |dedup host role | join host [|rest splunk_server=* /services/server/info | rename serverName AS host | fields host guid version] | rename server_role AS role | table host role guid version | outputlookup all_servers.csv + +[savedsearch_state_lookup] +alert.digest_mode = True +alert.suppress = 0 +alert.track = 0 +auto_summarize.dispatch.earliest_time = -1d@h +cron_schedule = 0 * * * * +disabled = 0 +dispatch.earliest_time = -1h@h +dispatch.latest_time = now +enableSched = 1 +search = index=_internal sourcetype=scheduler OR (sourcetype=splunk_web_service "loading saved search") OR (sourcetype=splunkd_access method=POST /saved/searches) | rex "\/saved\/searches\/(?[^/]+) HTTP?" | rex "saved\ssearch\s\"\/\w+\/(?\w+)\/(?\w+)\/\w+\/\w+\/(?.+)\"\s" | eval savedsearch_name=urldecode(savedsearch_name) | search savedsearch_name!=_ACCELERATE* | stats avg(run_time) AS "Avg Runtime" max(run_time) AS "Max Runtime" min(_time) as first_time,max(_time) as last_time by savedsearch_name | inputlookup append=T savedsearch_runtimes.csv | stats max("Max Runtime") AS "Max Runtime" max("Avg Runtime") AS "Avg Runtime" min(first_time) as first_time, max(last_time) as last_time by savedsearch_name | outputlookup savedsearch_runtimes.csv diff --git a/apps/splunk_health_overview/lookups/README b/apps/splunk_health_overview/lookups/README new file mode 100644 index 00000000..d1fda561 --- /dev/null +++ b/apps/splunk_health_overview/lookups/README @@ -0,0 +1,2 @@ +all_servers.csv is generated by the all_servers saved search. +all_indexes.csv is generated by th eall_indexes saved search. diff --git a/apps/splunk_health_overview/metadata/default.meta b/apps/splunk_health_overview/metadata/default.meta new file mode 100755 index 00000000..8e9023b7 --- /dev/null +++ b/apps/splunk_health_overview/metadata/default.meta @@ -0,0 +1,6 @@ +[] +access = read : [ admin ], write : [ admin, power ] +export = none + +[lookups] +export = system diff --git a/apps/splunk_health_overview/metadata/local.meta b/apps/splunk_health_overview/metadata/local.meta new file mode 100644 index 00000000..8f0ef79c --- /dev/null +++ b/apps/splunk_health_overview/metadata/local.meta @@ -0,0 +1,48 @@ +[app/install/install_source_checksum] +version = 6.2.0 +modtime = 1417642279.990818000 + +[views/search_activity] +version = 6.2.3 +modtime = 1435021968.343178000 + +[savedsearches/avail_indexes] +version = 6.2.0 +modtime = 1418588425.683031000 + +[views/search_detail] +owner = admin +version = 6.2.0 +modtime = 1418588689.234899000 + +[views/user_activity] +version = 6.2.0 +modtime = 1418694100.118998000 + +[views/health_status] +version = 6.2.0 +modtime = 1418691739.189140000 + +[views/resource_usage] +version = 6.2.0 +modtime = 1418693713.624970000 + +[views/scheduler_activity] +version = 6.2.0 +modtime = 1418692953.351024000 + +[views/license_usage] +version = 6.1.0 +modtime = 1433265651.802525000 + +[views/deployment_status] +version = 6.1.0 +modtime = 1433265339.806811000 + +[datamodels/Internal_Events] +version = 6.1.0 +modtime = 1433265569.286090000 + +[models/Internal_Events] +version = 6.1.0 +modtime = 1433265547.276039000 diff --git a/apps/splunk_health_overview/splunkbase.manifest b/apps/splunk_health_overview/splunkbase.manifest new file mode 100644 index 00000000..75e3399e --- /dev/null +++ b/apps/splunk_health_overview/splunkbase.manifest @@ -0,0 +1,153 @@ +{ + "version": "1.0", + "date": "2022-11-14T18:58:45.384302319Z", + "hashAlgorithm": "SHA-256", + "app": { + "id": 1919, + "version": "2.2.1", + "files": [ + { + "path": "metadata/default.meta", + "hash": "92003e4bf19e1a44a315eff7b3cc8038699c0fc03dd6ecdcff6525bf2612a05a" + }, + { + "path": "metadata/local.meta", + "hash": "ab95b50b3a4104e4a9d4dcb45f6dbef06ffff161194434af56f52b3be7b62883" + }, + { + "path": "appserver/static/table_data_bar.css", + "hash": "797f3bc17c47d933506c15c8022c3b3b9f138899b80197f86e9d259ad8a1567d" + }, + { + "path": "appserver/static/search_health.js", + "hash": "72340cd9c73db79320e934c77cbe4a1cf1954b6ce91ac948b21e55b4fd63b1da" + }, + { + "path": "appserver/static/search_health.css", + "hash": "751367415f66ee04b72d81d61f9c176e110b7cc589442fdc276b8071f897540e" + }, + { + "path": "appserver/static/table_cell_highlighting.css", + "hash": "04a4504e1af20a1931194597108c2cf4b2887c16d69cdbaabd428c1a3ec0c92e" + }, + { + "path": "appserver/static/table_cell_highlighting.js", + "hash": "bef0340f3c68bc27c28748198fc8332f36a210ee8d00d0bc003842bb0daed9bd" + }, + { + "path": "appserver/static/table_data_bar.js", + "hash": "8206bd0016380df81c7389cbf8d69352c35484faaa2ea6384213e1e59e37ff38" + }, + { + "path": "appserver/static/server_health.css", + "hash": "751367415f66ee04b72d81d61f9c176e110b7cc589442fdc276b8071f897540e" + }, + { + "path": "appserver/static/table_decorations_shrunk.css", + "hash": "afccebe892f133a1e5ccfab1096c921af6273f15b59d6ecf5c7fa4b1dcce0cc7" + }, + { + "path": "appserver/static/table_icons_mv.js", + "hash": "6615774fcf6131949caf8241437ebf7d0bfd241296af14080b6b9db28cdb2290" + }, + { + "path": "appserver/static/server_health.js", + "hash": "328341b4fc45b7e35c3718114a064661e80c16f653f1d798cf3226c953416526" + }, + { + "path": "README", + "hash": "cfa218576b3e77df9b92197427043b71b88f9b0f32028dbbb71cc3e81635979b" + }, + { + "path": "default/datamodels.conf", + "hash": "5eed66c04cfdf7c58adda24eac50f1d9f6f2e8674a0d36c8d33e7cad0d869080" + }, + { + "path": "default/data/models/Introspection_Usage.json", + "hash": "0ec363990f04209b6c9b8c571cb9edcdf5d7c25d34f5faf069ea5b21902917ec" + }, + { + "path": "default/data/models/Internal_Events.json", + "hash": "347d411013a9314c566c044d51bcdd7dde885dab96f6dcea094bcbd5fd877a19" + }, + { + "path": "default/data/ui/views/resource_usage.xml", + "hash": "1f80ff6824dfda9650ab27593e363d10fb38cfb65e45600f638e8203ae7e6a1a" + }, + { + "path": "default/data/ui/views/indexes.xml", + "hash": "7c6011b3b45a4444c15d32fcc1a3290a65e8a2ba0b3713a13b8e8f7b57d508d9" + }, + { + "path": "default/data/ui/views/search_activity.xml", + "hash": "0adf9d703d01a82d223a71031cae914a878b2e0993f118f8bedccc5e31872e9d" + }, + { + "path": "default/data/ui/views/health_status.xml", + "hash": "641c6f632ba605258fa26f47e6bafbe3d6dd1c46f27b7624c94909bae164feed" + }, + { + "path": "default/data/ui/views/scheduler_activity.xml", + "hash": "f320e946f5344a134889f615af50f8576ecdd6ce9e58043fb5985adee65de7ac" + }, + { + "path": "default/data/ui/views/saved_search_detail.xml", + "hash": "8b45f92b143cf485c58a67e634f212ccccc34a91116c063054ae904a5ed845da" + }, + { + "path": "default/data/ui/views/license_usage.xml", + "hash": "1d8f30d203586663bdff5cefa13923e048c42ae5a1b1abaf976dad981e614caa" + }, + { + "path": "default/data/ui/views/user_activity.xml", + "hash": "d32d397034c1f949988c77e558b275782cc8237e80af9667f4364bde4d611b8c" + }, + { + "path": "default/data/ui/views/indexes_and_fields.xml", + "hash": "c7862ae1f3d722dc724f58173c45c897c4d343373e23a04198bc542396927bc2" + }, + { + "path": "default/data/ui/views/deployment_status.xml", + "hash": "faefc4c337afd2b122c220228a8ee64b1a3169643c2a9fa5f8170fed27750595" + }, + { + "path": "default/data/ui/views/search_detail.xml", + "hash": "50ae8fa17a012a37abc9a41d92525ac349168993fb76f1fa51ffeb8234dc8bcd" + }, + { + "path": "default/data/ui/nav/default.xml", + "hash": "12d5f01948c75731728c67618607dc88cc3e162892b125abb4ad1df39d527d82" + }, + { + "path": "default/savedsearches.conf", + "hash": "ed284d921baa9d0c4b3d58eba5cffe26fabfb5002b41fda8a930f41eeb7ff433" + }, + { + "path": "default/app.conf", + "hash": "c047a1ec0d2c707b4e42a1cd43169510337c687a68cd76cd212f39e82e6d6a48" + }, + { + "path": "lookups/README", + "hash": "8df77968580e2571ece8e120c027a3c0a3633f18ce514fe79cf6e4d2ee830bac" + } + ] + }, + "products": [ + { + "platform": "splunk", + "product": "enterprise", + "versions": [], + "architectures": [ + "x86_64" + ], + "operatingSystems": [ + "windows", + "linux", + "macos", + "freebsd", + "solaris", + "aix" + ] + } + ] +} \ No newline at end of file