This technology add-on for the Fire Brigade app is a data collection tool
only. It contains a saved search, called "DB inspection", which is scheduled
to run once daily, and a couple of macros to support this search.
The search calls the "dbinspect" search command, once for each index listed
within the "monitored_indexes.csv" lookup table. Only indexes named in this
table will be examined in this way. It is important to keep this list up to
date if comprehensive monitoring of the indexes in your environment is
required.
The dbinspect command provides a listing of all of the buckets within the
named index, and some statistics about each. This data is required by the main
Fire Brigade application to display relevant charts and metrics about the
monitored indexes. At the time of writing, dbinspect is not a "distributed"
search command, meaning that this TA must be installed on all of the indexers
in a distributed Splunk environment.
NOTE: A standalone Splunk system (all-in-one) will still require this TA; the main app no longer does any data collection.
Data collected by this app is sent to the "summary" index, which exists in all
default Splunk installations. No additional indexes need to be created.
There are two modes of operation for this TA. The data collection script will
run the dbinspect search command, looping over all of the indexes listed in
the lookup table "monitored_indexes.csv". Administrators have the option of
manually updating this list to constrain the search to only a subset of
indexes. In order to achieve this manual control, the saved search titled
"Update monitored list from REST" must be disabled. The default behavior is
for this search to periodically use the REST API to retrieve the current list
of non-disabled indexes on the local system, and saves the results to the
monitored_indexes.csv. In this default mode, the TA will track all of the
indexes on the system automatically, without the need to manually update the
lookup table.
This version is compatible with the dbinspect command featured in versions 6.0 and higher of Splunk Enterprise.
This is the same contents of the "version 2" TA for Fire Brigade, just updated here to make it easier to find. There is no change in functionality. If you were already running version 2.0.1, this app is exactly the same, just run through the same build process as the main app (Fire Brigade), so with slightly different version numbers. If you're already running TA-fire_brigade version 2, no upgrade is required.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.