Splunk® Content Packs for ITSI and IT Essentials Work

Splunk Content Packs for ITSI and IT Essentials Work

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Install and configure the Content Pack for Monitoring Unix and Linux

Perform the following high-level steps to configure the Content Pack for Monitoring Unix and Linux:

  1. Install the content pack on your search head.
  2. Create a search macro that includes all indexes you're using for data collection.
  3. Enable entity discovery to automatically discover entities for which relevant data has been collected.
  4. Tune KPI base searches and KPI threshold levels for your environment.

Prerequisites

Step 1: Install the content pack

Install the content pack on an on-premises instance

Perform the following steps to install the content pack:

  1. Download the following ITSI backup file: BACKUP-CP-NIX-OS-1.0.1.zip.
  2. On your ITSI search head, create a restore job and upload the backup file. For instructions, see Restore from a backup zip file.
  3. After the restore job completes, confirm that the objects included in the content pack are restored to your environment.

Install the content pack on Splunk Cloud Platform

If you're a Splunk Cloud Platform customer, you can install the content pack directly through the ITSI Content Library in a future release. You can also install content packs through the ITSI REST API. If you're an on-premises customer, see Install the content pack in an on-premises instance.


Install the content pack through the REST API

On ITSI version 4.8.x you can use the itoa_interface/content_pack endpoint to install content packs through the ITSI REST API. The endpoint includes GET operations to fetch versioning information and preview the contents of the content pack, and a POST operation to install content packs.

Step 2: Create the index search macro

If you're not collecting data in the default indexes given by the Splunk Add-on for Unix and Linux, you need to create a new macro with the indexes that you're using for data collection.

Prerequisites

  • You must have to admin role to create the index search macro.
  • You must know the indexes that your organization uses to send data to your Splunk deployment using the Splunk Add-on for Unix and Linux.

Steps

  1. From Splunk Web, click Settings > Advanced Search > Search macros.
  2. Click New Search Macro.
  3. Configure the following fields:
    Field Value
    Destination app itsi
    Name itsi-cp-nix-indexes
    Definition Add all of the indexes that you're using for data collection from add-ons combined with OR operators.

    For example:

    (index=os OR index=my_nix_index OR index=<index-name>)
    
  4. Click Save.
  5. Configure read/write permissions for the macro:
    1. For the newly created macro, click Permissions.
    2. Select All apps (system).
    3. Give Read access to Everyone.
    4. Give Write access to admin.
    5. Click Save.

Step 3: (Optional) Change the module macro definition for indexes

The ITSI Operating System Module includes dashboards displaying OS metrics and other data. You can edit the module's search macro to populate the module's dashboards with data collected using the approaches in this content pack. Add the default indexes that you're using for data collection. For more information, see About the Operating System Module in the ITSI Modules Manual.

  1. From Splunk Web, click Settings > Advanced Search > Search macros.
  2. In the filter bar, search for itsi_os_module_indexes.
  3. Select the itsi_os_module_indexes macro.
  4. In the Definition field, add all of the indexes that you're using for data collection from add-ons combined with OR operators.
    For example:
    (index=windows OR index=perfmon OR index=os OR index=<index-name>)
    

Step 4: Enable automatic entity discovery

Perform the following steps to ensure that ITSI automatically detects your Unix and Linux hosts. For best results, perform these steps after you configure at least one host to send data to Splunk Enterprise using the Splunk Add-on for Unix and Linux.

  1. Navigate to ITSI on the search head.
  2. Click Configuration > Entities.
  3. Click Create Entity > Import from Search.
  4. Select Ad hoc search and enter the following search:

    `itsi-cp-nix-indexes` (sourcetype="Unix:Version" OR source=hardware) earliest=-24h | eval role="operating_system_host" | stats latest(family) as family, latest(version) as version, latest(vendor_product) as vendor_product, latest(role) as itsi_role, latest(cpu_cores) as cpu_cores, latest(mem) as memory, latest(cpu_architecture) as cpu_architecture by host | fields + host, family, version, vendor_product, itsi_role, cpu_cores, memory, cpu_architecture

  5. Click the search icon to run the search and confirm that one or more hosts are shown with all columns populated.
  6. Click Next.
  7. In the Import Column As column, set the host field to Entity Title. Set all other fields to Entity Information Field.
  8. Set Conflict Resolution to Update Existing Entities and set the Conflict Resolution Field to host.
  9. Click Import.
  10. After the import completes, click Set up Recurring Import.
  11. Name the recurring import ITSI discovery of Unix and Linux servers and set the frequency based on the needs of your deployment. Use Run on cron Schedule for maximum flexibility.
  12. Click Submit.
    ITSI creates the new modular input in $SPLUNK_HOME/etc/apps/itsi/local/inputs.conf.

Step 5: Tune KPI base searches

This content pack ships with the following KPI base searches:

  • OS:Performance.NIX-bandwith
  • OS:Performance.NIX-cpu
  • OS:Performance.NIX-df
  • OS:Performance.NIX-iostat
  • OS:Performance.NIX-vmstat

Each search runs every 5 minutes with a 5-minute calculation window and uses only the latest value on a per-entity basis. The 5-minute calculation window ensures that you won't see N/A for less frequent data. Using the latest value means that the KPI status refreshes as quickly as possible for data collected more frequently.

You must review and tune all base searches to run at a frequency that matches your data collection interval.

Step 6: Tune KPI thresholds

Aggregate KPI thresholds use Normal, Medium, and Low levels, while per-entity thresholds except for available disk space don't exceed the Medium level. Lower threshold levels for OS-level monitoring allow application-level KPIs to take a more prominent threshold level. For example, a server at 100% CPU isn't a critical issue if the apps running on that server are responding normally.

Aggregate threshold values are calculated for general use only. You must tune these threshold values according to your environment. Use the sample service that's linked to the Unix and Linux server health service template to validate your thresholds. For more information, see Overview of creating KPIs in ITSI in the Service Insights manual.

Last modified on 21 July, 2021
PREVIOUS
Data requirements for the Content Pack for Monitoring Unix and Linux
  NEXT
Use the Content Pack for Monitoring Unix and Linux

This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters