Splunk® Enterprise

Monitoring Splunk Enterprise

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Use Splunk Assist

Read this topic to understand how the Splunk Assist interface works, and how to navigate through the Splunk Assist tabs, menus, and windows.

Overview of the Splunk Assist page

90 UseAssist.png

When the Splunk Assist page loads, it presents three distinct areas:

  • Indicator tabs. The tabs along the top of the Splunk Assist window represent categories of indicators, which are specific pieces of information that Splunk Assist uses to measure the performance and compliance of your Splunk Enterprise deployment with Splunk best practice. Each indicator lets you view additional information about it. An indicator tab is similar to a tab of a manila folder - you can use the tab to open and access the contents of the folder. Clicking the indicator tab loads information about the indicators it references in the other parts of the Splunk Assist page. Each indicator tab displays a graph that shows the number of instances in your deployment, and how many of those instances are in one of three states of compliance:
    • Conform: Where the node conforms to Splunk best practice.
    • Warning: Where one or more indicators on the instance indicate potential problems with compliance which you should monitor more closely.
    • Critical: Where an instance is out of compliance and needs your attention to rectify it.
  • Overview pane. The Overview pane shows detailed information about the nodes in your Splunk Enterprise deployment that report information on the indicator that is specified in the Indicator tab. The icons in this pane indicate the state of the instances in your deployment, whether they conform to best practice, are in a warning state, or they do not conform to best practice. In this pane, Splunk Enterprise instances are grouped by three tiers:
    • Search tier: Instances that search data appear in this tier.
    • Indexing tier: Instances that store incoming data appear in this tier.
    • Collection tier: Instances that retrieve and send data to indexers, mainly forwarders, appear in this tier.
  • Indicator summary pane. This third pane lists each available Splunk Assist indicator, with a summary of the information it collects and why. Each indicator summary has the following columns:
    • a Category which groups the indicator by type
    • a Scope that shows the types of Splunk Enterprise instances to which the indicator applies
    • Results, which display the number of instances to which the indicator applies and the number of machines that are either in compliance, in a warning state, or out of compliance

General Assist tasks

The Splunk Assist page lets you view all the insights it generates on the main page. You can filter instances by indicator, tier type, and severity, and you can also view details for a certain instance or indicator.

Show all instances for a certain indicator

  1. Click an indicator tab.
  2. In the All indicators pane, click the caret > next to an indicator. The pane updates to include a list of all machines to which the indicator applies.

Filter instances by tier type

  1. Click an indicator tab.
  2. In the Overview pane, click one of the icons that represents the tier of instances that you want to see, and the state of instances within that tier.

The Overview pane can have up to three icons per tier, depending on the states of compliance for individual instances within the tier. For example, if at least one instance in the Collection tier is in a critical state and another is in a warning state, two icons that represent the "Critical" and "Warning" states for those instances appear in that tier.

Filter instances by indicator

  1. Click an indicator tab.
  2. In the All indicators tab, in the Filter indicators text box, type in text that represents the indicators that you want to see. The "All indicators" pane updates to show the list of available indicators that match the text you type in.

Explore details of an indicator

To see the details of an indicator, click on the > button next to the indicator in the indicator list. The indicator displays a summary of what the indicator measures, and how you can remedy the instances in your deployment that are out of compliance with the indicator.

Get extended information on an indicator through Splunk Assist helper packages

Some indicators let you retrieve extended information on them. These indicators include a button within the indicator description that you can select to get the detailed information. Splunk Assist loads helper packages that provide this information when you select the button.

Splunk Assist ships with several helper packages:

  • App Assist provides detailed information on the apps and add-ons in your Splunk Enterprise deployment. Within an indicator, you see the Open App Assist button to load this helper package. See Use App Assist.
  • Certificate Assist provides detailed information on certificate management in your Splunk Enterprise deployment. Within an indicator, you see the Open Certificate Assist button to load this helper package. See Use Certificate Assist.
  • Config Assist provides detailed information on configurations in your Splunk Enterprise deployment, including security configuration. Within an indicator, you see the Open Config Assist button to load this helper package. See Use Config Assist.

Sources from where Splunk Assist collects indicators

Splunk Assist collects the indicators that it displays from several sources. The following table lists the indicators and the tiers from which Splunk Assist collects the indicators. You can refer to this table to understand how Splunk Assist gets its data, or use it for troubleshooting purposes.

Indicator type Search tier Indexing tier Forwarding tier
Availability
(requires TLS
certificates)
X X X
Security X -- --
App updates X -- --
Last modified on 01 June, 2023
PREVIOUS
Turn Splunk Assist on or off
  NEXT
Use App Assist

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.2.0, 9.2.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters