Splunk® Content Packs for ITSI and IT Essentials Work

Splunk Content Packs for ITSI and IT Essentials Work

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure the Content Pack for Unix and Dashboards and Reports

Configure the data and scripted inputs, and ensure that data collection is happening on this page before you configure the app.

You can configure the Content Pack for Unix Dashboards and Reports using the Settings - Unix dashboard. Perform the following steps to open the dashboard:

  1. In Splunk Web, open ITSI.
  2. Go to Dashboards > Dashboards.
  3. Open the Settings - Unix dashboard, with the app name DA-ITSI-CP-unix-dashboards.

Change Unix indexes

Configure which indexes contain the data that the content pack uses. The Unix Indexes field allows you to specify the index(es) that the Content Pack for Unix Dashboards and Reports should use for access to *nix data it has collected.

Settings-unix1.png

To specify additional indexes, click Add New and enter index=<index name>, where <index name> is an existing index defined on the Splunk instance that hosts the content pack, and which contains data collected by either the Splunk app or add-on for Unix and Linux.

To remove an existing defined index, click the x next to the index field.

To confirm that the indexes you've specified contain the *nix data you want the Content Pack for Unix Dashboards and Reports to use, click Preview. A new Search page opens that displays the most recent events collected for the specified indexes.

Change data source types

To specify additional source types under each Data field, click Add New and enter sourcetype=<sourcetype>, where <sourcetype> is an existing source type defined on the Splunk instance that hosts the content pack.

To remove an existing defined source type, click the x next to the source type field.

To confirm that the source types you've specified contain the *nix data you want the Content Pack for Unix Dashboards and Reports to use, click Preview. A new Search page opens that displays the most recent events collected for the specified source types.

Define categories and groups

You can define categories and groups for the hosts that the Content Pack for Unix Dashboards and Reports has collected data for. Categories and groups allow you to compare metrics across different host types and/or roles when troubleshooting an issue, which helps you manage a large number of hosts.

Settings-unix2.png

The Categories panel is a first-level grouping mechanism, used to define site locations, like cities or data centers.

The Groups panel is the second-level grouping mechanism, used to define host or service groups.

The Hosts in panel contains hosts that have been assigned to the current Category and Group. The Content Pack for Unix Dashboards and Reports populates this list from the data you have collected with it.

The Hosts not in panel contains hosts that haven't been assigned to the active Category and Group. The Content Pack for Unix Dashboards and Reports populates this list from the data you have collected with it.

When you first run the Content Pack for Unix Dashboards and Reports, the content pack searches through the OS index for host entries and creates a special category called '''all_hosts''' and a special group called '''Default'''. The 50 most recent hosts it finds become a member of this special category and group until you define additional categories and groups.

When you make these changes to categories and groups, the Content Pack for Unix Dashboards and Reports writes the changes to $SPLUNK_HOME/etc/apps/splunk_app_for_nix/lookups/dropdowns.csv.

If the Content Pack for Unix Dashboards and Reports can't find any hosts, it creates a default 'all_hosts' group and 'Default' group and sets the host value to '''*''', which the app treats as a wildcard. If you want to create your own categories and groups, you must delete this default category and group first.

Add or remove categories and groups

To add categories, click the + to create a category called New Category. Rename the category as appropriate.

To add groups, select the category you want to add the group to, then clicking the + sign. You must add at least one host to a group for the Content Pack for Unix Dashboards and Reports to save the group and the group's parent category. The app doesn't save empty categories or groups.

To remove categories or groups, click Delete Category or Delete Group. If you remove a category that has groups under it, the groups in that category are also removed.

Add or remove hosts from a group

Once you have created the categories and groups you want, you can assign hosts to a group.

When you assign a host to group, follow these guidelines:

  • You can only assign hosts to a group. The content pack then assigns the hosts to the category that contains the group.
  • You can assign hosts to more than one group at a time. However, each group must be a member of a separate category.
  • You cannot assign hosts to categories directly.

To assign a host to a group, perform the following steps:

  1. Click the group that you want to assign hosts to. The Hosts in and Hosts not in columns populate with available hosts that the Content Pack For Unix Dashboards and Reports has collected data for. Note: New groups will not have hosts in the Hosts in column.
  2. Locate the host that you want to add to the group in the Hosts not in column. Note: If a host is already a member of another group, the Content Pack For Unix Dashboards and Reports displays that group alongside the host name.
  3. Click on the host in the Hosts not in column to add a new host to the Hosts in column.

Splunk makes changes to the group based on the following factors:

  • If the host is not already a member of another group within the currently selected category, Splunk adds the host to the new group and then immediately saves the change.
  • If the host is a member of another group within the currently selected category, Splunk removes the host from the old group, adds it to the new group, and then immediately saves the change.

To remove a host from a group, perform the following steps:

  1. Click the group that you want to remove hosts from. The Hosts in column populates with the hosts that have already been assigned to the group. The Hosts not in column populates with available hosts that the Content Pack For Unix Dashboards and Reports has collected data for.
  2. Locate the host that you want to remove from the group in the Hosts in column.
  3. Click on the host. Splunk removes that host from the group and saves the change immediately.

Configure alerts

Alerts are only configurable by the Admin user.

The Settings:Alerts page allows you to customize the alerts that the Content Pack for Unix Dashboards and Reports displays when certain conditions trigger those alerts.

Settings-unix3.png

The Alerts settings page splits into three sections for each available alert:

  • The Alert section, which shows the name of the alert, as well as a text box which allows you to enter a description for the alert.
  • The Threshold section, which lets you specify when the alert triggers, as well as:
    • The business impact of the alert.
    • The remediation strategy, which is what a person who sees this alert should do to resolve it.
    • The escalation path, which is who (or what) the alert should be escalated to if attempts to resolve the alert fail, or no one responds to the alert.
  • The Status section, which lets you specify whether or not the alert is active, and change its reported severity.

The Content Pack for Unix Dashboards and Reports comes with twelve built-in alerts that you can configure. You can add descriptions, change alert thresholds, add business impact, remediation and escalation information, and choose whether or not each alert is active.

To modify the existing alerts in the Alerts settings page, perform the following steps:

  1. In the Alerts section, enter a description for the alert in the text box underneath the alert's name.
  2. In the Threshold section, drag the slider to adjust when the alert triggers. You can also click on the text box underneath the slider and enter the number manually. Valid values for the threshold depend on the alert's base search.
  3. In the Business Impact text box, enter the impact that the alert represents.
  4. In the Remediation text box, enter a sentence that describes what a person who encounters this alert can do to stop it.
  5. In the Escalation text box, enter the name of a person or entity that this alert should be escalated to if attempts to resolve the alert fail or are not made.
  6. In the Status section, click the Enabled button to enable the alert, or the Disabled button to disable the alert.
  7. Drag the slider to adjust the alert's severity(Info, Medium, or High). The alert's severity determines where and how it displays on the Alerts page.
  8. Click Save to save any changes you have made.
  9. Whenever you make a change, the Content Pack for Unix Dashboards and Reports highlights the Save button in Green. This lets you know that any unsaved changes will be lost if you leave the settings page.

Next steps

Now that you installed and configured the Content Pack for Unix Dashboards and Reports, you can start using the dashboards and visualizations in the content pack to monitor your environment.
See, Use the Content Pack for Unix Dashboards and Reports.

Last modified on 25 June, 2021
PREVIOUS
Migrate from the Splunk App for Unix and Linux to the Content Pack for Unix and Linux Dashboards and Reports
  NEXT
Use the Content Pack for Unix Dashboards and Reports

This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters