Install and configure the Content Pack for Monitoring Pivotal Cloud Foundry
The Content Pack for Monitoring Pivotal Cloud Foundry (PCF) provides the elements necessary for monitoring your Pivotal Cloud Foundry deployment, with data ingested using the Splunk Firehose Nozzle for PCF. The content pack includes several preconfigured glass tables, service trees, and services that you can configure to represent your PCF server group. For more information about this content pack, see About the Content Pack for Monitoring Pivotal Cloud Foundry.
Perform the following high-level steps to configure the Content Pack for Monitoring Pivotal Cloud Foundry:
- Install the Splunk Firehose Nozzle for PCF.
- Install the content pack on your search head.
- Create the
- Tune KPI base searches and KPI threshold levels for your environment.
Create a full backup of your ITSI environment in case you need to uninstall the content pack later. For more information, see Create a full backup of ITSI in the Administration Manual.
Step 1: Install the Splunk Firehose Nozzle for PCF
Before installing this content pack, you must first install and configure the Splunk Firehose Nozzle for PCF to get your Pivotal Cloud Foundry data into Splunk. For installation and configuration instructions, see Installing and Configuring Splunk Firehose Nozzle for Pivotal Platform in the Pivotal Partner documentation.
Step 2: Install the content pack
The Content Pack for Monitoring Pivotal Cloud Foundry is automatically available for installation once you have installed the Splunk App for Content Packs on the search head with ITSI 4.9.x or later or IT Essentials Work 4.9.x. or later. For more information, see Install the Splunk App for Content Packs.
If you are using a previous version, then you need to install the content pack using backup and restore functionality provided by ITSI and IT Essentials Work. For more information, see Install the content pack on ITSI 4.8 and lower or IT Essentials Work 1.1.0.
Install the content pack on ITSI or IT Essentials Work 4.9.0 or later
The Content Pack for Monitoring Pivotal Cloud Foundry is automatically available for installation once you have installed the Splunk App for Content Packs on the search head with ITSI 4.9.x or later or IT Essentials Work 4.9.x. or later. For more information, see Install the Splunk App for Content Packs. After you install the Splunk App for Content Packs, you can follow these steps to install the content pack:
- From the ITSI main menu, click Configuration > Data Integrations.
- Click Add structure to your data.
- Select the Monitoring Pivotal Cloud Foundry content pack.
- Review what's included in the content pack and then click Proceed.
- Configure the following settings:
Setting Description Choose which objects to install For a first-time installation, select the items you want to install and deselect any you're not interested in.
For an upgrade, the installer identifies which objects from the content pack are new and which ones already exist in your environment from a previous installation. You can selectively choose which objects to install from the new version, or install them all.
Choose a conflict resolution rule for the objects you install For upgrades or subsequent installs, decide what happens to duplicate objects introduced from the content pack. Choose from the following options:
- Install as new - Objects are installed and any existing identical objects in your environment remain intact.
- Replace existing - Existing identical objects are replaced with those from the new installation. Any changes you previously made to these objects are overwritten.
Import as enabled Select whether to install objects as enabled or to leave them in their original state. It's recommended that you import objects as disabled to ensure your environment doesn't break from the addition of new content.
This setting only applies to services, correlation searches, and aggregation policies. All other objects such as KPI base searches and saved searches are installed in their original state regardless of which option you choose.
Add a prefix to your new objects Optionally, append a custom prefix to each object installed from the content pack. For example, you might prefix your objects with
CP-to indicate they came from a content pack. This option can help you locate and manage the objects post-install.
Backfill service KPIs Optionally backfill your ITSI environment with the previous seven days of KPI data. Consider enabling backfill if you want to configure adaptive thresholding and Predictive Analytics for the new services. This setting only applies to KPIs and not service health scores.
- When you're satisfied with your selections, click Install selected.
- Click Install to confirm the installation. When the installation completes you can view all objects that were successfully installed in your environment. A green check mark in the main Content Library list indicates which content packs you've already installed.
Install the content pack on ITSI 4.8 and lower or IT Essentials Work 1.1.0
If you're on a pre-4.8.0 version of ITSI, perform the following steps to install the content pack:
- Download the following ITSI backup file: BACKUP-CP-PCF-1.0.1.zip.
- On your ITSI search head, create a restore job and upload the backup file. For instructions, see Restore from a backup zip file.
- After the restore job completes, confirm that the objects included in the content pack are restored to your environment.
Step 3: Create the itsi_pcf_module_indexes macro
Create a macro called
itsi_pcf_module_indexes, as all the KPIs included in this content pack all have the macro embedded in the search.
You must have to
admin role to create the index search macro.
- From Splunk Web, click Settings > Advanced Search > Search macros.
- Click New Search Macro.
- Configure the following fields:
Field Value Destination app
Definition Add all of the indexes that you're using for data collection from add-ons combined with OR operators.
(index=pcf OR index=<index-name>)
- Click Save.
For more information about search macros, see Define search macros in Settings in the Splunk Enterprise Knowledge Manager Manual.
Step 4: Tune KPI base searches
The KPI aggregate threshold values are configured for general use to reflect the overall health of the server group. Review and tune all KPI thresholds for your specific environment, and adjust the search frequency to match your data collection interval.
Each KPI search runs every minute by default. They have a five minute calculation window and use only the latest value on a per-entity basis.
- The five minute calculation window ensures that you won't see N/A values for less frequent data.
- The combination of running every minute and using the latest value means that for data collected more frequently, the KPI status is updated as quickly as possible.
For more information on KPI thresholding, see Configure KPI thresholds in ITSI in the Service Insights manual.
After you install the content pack and configure the services and KPIs, you're ready to start monitoring your Pivotal Cloud Foundry components. From here, you can set up alerts so you can be notified of issues in your environment. For more information, see Overview of Event Analytics in ITSI.
Release notes for the Content Pack for Monitoring Pivotal Cloud Foundry
About the Content Pack for Monitoring Splunk as a Service
This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current