IT Service Intelligence users can monitor splunk as a service easily by deploying the “Monitoring Splunk as a Service” ITSI Content Pack. In this post we take you through the simple steps to get up and running.
Step 1 – Install the Splunk App for Content Packs
There are various content packs available and there is a Splunk App to manage them all. The first thing you need to do is install the Splunk App for Content Packs:
- Splunk Cloud Customers
- Raise a support case to request the install of the app
- On-Prem Customers
- Download the app from splunkbase
- Stop Splunk
- Extract the SPL archive in {SPLUNK_HOME}/etc/apps
- Restart Splunk
Further instructions are available here.
Step 2 – Configure the Content Pack for Monitoring Splunk as a Service
From the ITSI app:
- Configuration > Data Integrations
- Select the “Add Structure to your data” tab
- Select Monitoring Splunk as a Service by clicking on the icon
- Click Proceed
- Review the options – for the quickest time to value switch on “Import as enabled” but review the guidance on that here for production systems
- Choose whether to add a prefix – we added “cp-sas-” so that we can easily see the ITSI objects that have been added by this content pack
- Install
Step 3 – Review Service Tree
Take a quick look at the service tree – your Splunk environment is now being monitored! You can delete services for components that you don’t have.
Step 4 – Create Entities
Creating the required entities is covered in the documentation here. We used a simple search as follows in order to map the splunk_role to the hostname. Thankfully we had a simple naming convention:
|tstats count where index=_internal by host
|fields - count
|eval splunk_role=case(match(host,"^itsi"),"itsi",match(host,"^idx"),"indexer",match(host,"^cm"),"indexer_cluster_master",true(),"unknown")
Summary
Hopefully we have shown that the installation and setup of the Content Pack for Monitoring Splunk as a Service is straightforward. It also delivers very quick time to value. From here you can move on to configuring alerting and tuning your thresholds.
For 2021 we’ve committed to posting a new Splunk tip every week!
If you want to keep up to date on tips like the one above then sign up below:
Subscribe to our newsletter to receive regular updates from iDelta, including news and updates, information on upcoming events, and Splunk tips and tricks from our team of experts. You can also find us on Twitter and LinkedIn.