Overview

Details

The Admin Pilot for Splunk (AP4S) is a comprehensive tool designed to enhance the management and operational efficiency of Splunk environments. AP4S offers detailed tracking and analysis across various facets of Splunk usage and performance, utilizing advanced machine learning techniques to forecast future licensing needs. This powerful app is essential for any Splunk administrator aiming to optimize their implementation and gain deeper insights into their data.

Admin Pilot for Splunk (AP4S) Overview

Key Features

User Login and Usage Tracking: Monitor user interactions within the Splunk environment to understand engagement patterns.
Knowledge Object Tracking: Keep tabs on Dashboards, Macros, Eventtypes, Lookups, and more to ensure optimal usage.
Index License and Size Tracking: Stay ahead of license usage and manage data storage effectively.
Resource Consumption Monitoring: Gain insights into real and SVC resource usage to optimize performance.
Search Performance Analysis: Evaluate search efficiency to improve speed and accuracy.
KV Store Health: Monitor the health of KV stores to prevent data loss or corruption.
Data Source Analysis: Analyze data source performance and reliability to enhance data ingestion and processing.

AP4S leverages machine learning to predict future license ingestion, enabling proactive management of licensing costs. It also stores valuable data for long-term analysis, facilitating continuous benchmarking of the Splunk journey.

Unique Advantages

Audit Search Activity Dashboard: Aggregates and normalizes search data from multiple internal sources, providing seamless analysis across datasets. It is instrumental in correlating searches and tracking terminated jobs, especially when memory tracking is enabled.
Enhanced Data Analysis: Collects data from various Splunk REST endpoints, enriching every included dashboard for unprecedented insights.
Optimized for Efficiency: Uses an accelerated data model, summary index, and multiple KV stores to ensure rapid access to critical data.
Reusable Macros: Over 140 macros facilitate customization and enhance the utility of custom dashboard development and ad-hoc searches.

Ideal For

AP4S is perfect for Splunk administrators who seek to:
- Thoroughly dissect any Splunk implementation.
- Conduct deep dive search analyses with extensive enrichments.
- Simplify scheduled search skip analyses in both SHC and non-SHC environments.

Conclusion

By equipping Splunk administrators with detailed insights and predictive analytics, the Admin Pilot for Splunk (AP4S) is an indispensable tool for maximizing the value of Splunk environments. Try AP4S today to revolutionize your Splunk administration and unlock the full potential of your data.

Prerequisites

Cloud & On-Prem:
Please install the following Apps on the same Cloud Search Head or Search Head Cluster you are intending to install and use Admin Pilot for Splunk (AP4S):
1. Splunk App for Lookup File Editing
2.Splunk Machine Learning Toolkit

Please note that you must install the Python for Scientific Computing Add-on before installing the Machine Learning Toolkit. Please download and install the appropriate version here:
- Mac: https://splunkbase.splunk.com/app/2881/
- Linux 64-bit: https://splunkbase.splunk.com/app/2882/
- Windows 64-bit: https://splunkbase.splunk.com/app/2883/

On-Prem:
The On-Prem Monitoring Console must be able to:
1. Search all production indexer clusters (customer may have more than one).
2. Configured to monitor all search heads (all stand alone and search head cluster members)
3. Configured to monitor all heavy forwarders (optional) - These should be configured as the Indexer role to ensure that index pipeline queues are visible. Note: You can deploy the Admin Pilot for Splunk (AP4S) for DS & HF to the DS’s & HFs.
4. Any Splunk Enterprise instance in the customer environment should ideally be configured to show in the Monitoring Console

Installation

Cloud:
Install the Admin Pilot for Splunk (AP4S) on the search head cluster and all standalone search heads.

On-Prem:
Installation should be done on a dedicated Search Head for the entire enterprise.
Customers should have existing Monitoring Console in place and configured, if not, configure a standalone search head as a Splunk Monitoring Console according to best practices and then proceed by configuring the dedicated Admin Pilot for Splunk (AP4S) SH.

Admin Pilot for Splunk (AP4S) Index Creation:
Cloud:
1. Login to any search head or search head cluster and create a new index:
2. Index name: ap4s_summary
3. Searchable Time: 400 Days
4. Additional Storage: None

On-Prem:
1. Login to the cluster manager and create a new index:
2. Index name: ap4s_summary
3. Searchable Time: 400 Days

Note for On-Prem customers:
If you have multiple Splunk environments that are separated physically and have its own dedicated Splunk Monitoring Console, Splunk Cluster Manager etc.., you can create a dedicated index for each using this example:
Env1: ap4s_summary_env1
Env2: ap4s_summary_env2

This will keep the data isolated at first and on the Admin Pilot for Splunk (AP4S) enterprise Search Head, all of the data from all of the summary indexes will be combined.
Please be sure to use the naming convention in Appendix C - Monitoring Console Custom Groups Naming Convention

Admin Pilot for Splunk (AP4S) Data Collection Configuration
Got to https://splunkbase.splunk.com/app/6489 and watch this video: https://youtu.be/fvU-uNh1huY also, scroll to find the Admin Pilot for Splunk (AP4S) for Splunk Setup Screen screenshot.

Restore the Admin Pilot for Splunk (AP4S) 101 KV Store Database
watch this video: https://youtu.be/fvU-uNh1huY

Setup the App identities
• Launch AP4S Setup and click on the Admin Pilot for Splunk (AP4S) Custom Identities Gen Job hyperlink.
• The template job called splunk_identities_custom_kv_store_lookup_gen you can use to map your identity fields to Admin Pilot for Splunk (AP4S) identities to help us expose how the various LOBs/SubLOBs, departments etc.. are using Splunk.
• The Most critical fields are: identity, emp_name, emp_type, emp_status, emp_title, emp_dep, emp_lob1, emp_city, emp_region1 & emp_country.

Release Notes

Version 1.1.12

March 12, 2024

1. AP4S Search Repository Enhancement:

To update the AP4S search repository to the latest version, navigate to the management tab and select "Admin Pilot for Splunk 101 Repository Factory defaults and initialization." Then, remove the comment at the bottom to upgrade the repository.

2. HTTP Event Collector (HEC) Inputs Security Improvement:

The Daily Job "Http Event Collector (HEC) Inputs Summary Index Gen Job From REST - [Daily - 03:35]" (identified as splunk_rest_data_inputs_http_sh_summary_data_gen) now encrypts the HEC token using MD5. This ensures that the HEC token is not exposed in clear text.

3. Knowledge Object Changes Tracker Job Fix:

The "Knowledge Object Changes Tracker Job Summary Index - [At every 5th minute from 0 through 55]" (also known as splunk_internal_splunkd_ui_access_ko_changes_idx_summary_tracker) has received a bug fix, enhancing its performance and reliability.

Version 1.1.11

Dec. 13, 2023

The Insights App for Splunk (IA4S), previously known as Global Monitoring Console (GMC), is undergoing another name change. This adjustment is necessary to prevent potential conflicts with upcoming Splunk solutions. The new name for the IA4S app is now Admin Pilot for Splunk (AP4S).

Version 1.1.10

April 6, 2023

Version 1.1.9

Feb. 16, 2023

Version 1.1.8

Jan. 20, 2023

Minor fixes to the following dashboards:
1- IA4S - 02 - Splunk Internal Log Analysis
2- SH - 01 - Dashboards Deep Analysis
3 - SH - 02 - Reports/Alerts Deep Analysis
4 - SH - 06 - Skipped and Deferred Search Analysis
5- SH - 16 - Installed Apps and Splunkbase Apps Analysis
Fixes to the following jobs:
1- splunk_identities_custom_kv_store_lookup_genr
2- splunk_summary_data_index_volumes_idx_kv_store_lookup_geno
3- ia4s_tracking_macros_enterprise_example
4- splunk_summary_admin_transforms_lookup_sh_kv_store_lookup_genr

Version 1.1.7

Jan. 9, 2023

Fixed and improved IA4S - 03 - App and Health Info dashboard
Fixed and improved IA4S - 05 - Adoption dashboard
Fixed and improved IA4S - 08 - Config Files Analysis dashboard
Added Disk Usage tab to IA4S - 09 - Resource Usage Analysis dashboard
Fixed a bug in IDX - 01 - Data Quality Analysis dashboard
Improvements to the IDX - 02 - Index Details dashboard
Improvements to the SH - 06 - Skipped and Deferred Search Analysis dashboard
Improvements to SH - 16 - Installed Apps & Splunkbase Apps Analysis dashboard
Improvements to UF - 01 - Forwarding Analysis - Index Based dashboard
Bug Fixes in SH-07

Version 1.1.6

Jan. 3, 2023

Added a new Distributed Search Allow and Deny Lists Gen Jobs to accurately collect the Allow/Deny rulesets from the search head tier.
Improved SH-19 to take advantage of the new jobs above, added "7. Exclude files based on splunk_rest_distsearch_replication_kv_store_lookup" to the exclusion filters.
IA4S-05 - Adoption fixes and improvements
IA4S-09A - Resource Usage Analysis performance improvements
IDX-02 - Index Details fixes and improvements
SH - 01 - Dashboards Deep Analysis fixes and improvements
SH - 02 - Reports/Alerts Deep Analysis fixes and improvements
SH - 04 - Audit Search Activity fixes and improvements
SH - 15 - Knowledge Objects Inventory fixes and improvements

Version 1.1.4

Dec. 16, 2022

The IA4S - 07 - App Setup and the Setup Screen are now auto-detecting the platform the App is running on, either Splunk Cloud or Splunk Enterprise. This allows these dashboards to show/hide panels and jobs that are only applicable to each platform.
Simplified the Setup process of the app & refreshed the Setup Insights App for Splunk (IA4S) Setup Screen diagram.
SH-17 Automation and SH-12 Scheduled Search Balance are now Tabs 3 and 4 in SH-02 and improved performance.
SH-11 Data Models Analysis and SH-08 Event Types Analysis are now Tabs 1 & 2 in SH-11.
SH-10 Source Types Analysis is now Tab 1 in SH-07.
IDX-05 Data Inputs Analysis is now Tab 2 in IDX-09.
SS-02, SS-03 & SS-04 are now Tabs 2, 3 & 4 in SS-01 and improved performance.
SS-05 and 06 dashboards performance improvements.
Fixed multiple issues with UF-03 & 04 and improved performance.
Bug Fixes and enhancements to various dashboards and jobs.

Version 1.1.2

Dec. 8, 2022

Enhanced The Forwarder tier and SmartStore Dashboards
Updated the IA4S 101 Repository
Bug fixes

Version 1.0.62

Oct. 6, 2022

Bug fixes and enhancements

Version 1.0.54

Aug. 2, 2022

Bug Fixes and Enhancements

Version 1.0.53

Aug. 1, 2022

Bug Fixes
Enhanced the setup screen and dashboard
Enhanced the instructions in the setup dashboard
Created a new workflow diagram for the setup process
Created a quick video to guide through the setup process

2,623

Downloads

Share Subscribe

Version

Built by

Splunk Works

Contributors

Tomas Chase
AK Khamis
srv-sscp-gitlab-scma

Support

Not Supported

Questions on Splunk Answers Flag as inappropriate

Compatibility

This version of the app (1.0.54) is not available for Splunk Cloud. However, version 1.1.10 of this app is available for Splunk Cloud.

This version of the app (1.0.53) is not available for Splunk Cloud. However, version 1.1.10 of this app is available for Splunk Cloud.

Products: Splunk Enterprise, Splunk Cloud

Products: Splunk Enterprise

Splunk Versions: 9.3, 9.2, 9.1, 9.0