Using Groups in Splunk App for Infrastructure
Use groups to monitor and analyze performance across multiple hosts, and to quickly find relevant log events for the entire group. When creating a group, logically group hosts together by choosing one or more dimension filters that are common across similar entities. You can also use wildcards, so that you can look across multiple hosts that might match a certain portion of the criteria.
For a video demonstration about using groups, see Video: Monitoring and Investigating Groups of Systems.
Create a group from an entity list
To create a group of entities, select from your list of entities hosts that have similar dimensions to reflect your infrastructure. Logically group these hosts together for troubleshooting and monitoring. You must have multiple entities already added to your instance in order to group them.
- Click the Investigate tab to see your list of entities.
- Click in the filter bar. Dimensions, or key/value pairs, that you created when configuring agents display in the dropdown list.
- When creating groups, multiple values with the same key are treated as an OR condition, values with different keys are treated as an AND condition.
- Select the dimensions you want to use to filter your entities into a group.
- After selecting filter dimensions for your group, click the star icon/Save as group to the right of the filter bar. The create group dialog displays, with the group name pre-populated. You can edit the group name before saving. Note: A Group name cannot contain a pipe (|) or an equals sign (=).
- Click Save to create the group. Your group is saved.
- Click View group now to view your list of groups.
- Click the Groups button on the upper left to view all of your saved groups.
Using the Analysis Workspace to view and analyze group performance metrics
Use the Analysis Workspace to access a group analysis view and analyze performance metrics across all the entities for a specific group. The Analysis Workspace aggregates performance across all hosts in a group. Determine poor performing entities for a set of metrics, or determine a point in time when multiple entities began performing in a similar way. View what entities are contained in a group from the group navigation dropdown.
Explore the status of a group using the Analysis Workspace.
- Click the Investigate tab.
- Click Groups to display your list of groups.
- Click a group to drilldown and display in the Analysis Workspace.
- Click the dropdown arrow next to the group name in the header of the Analysis Workspace to view or search for entities within the group.
Monitor the health of groups using the Infrastructure Overview
Monitor the health of your system using the Infrastructure Overview. This view displays critical information about your groups, such as hostname and IP address of entities, status of your groups (indicated by color), time indicating when status was last updated, or drilldown into the Analysis Workspace.
- Click the Investigate tab.
- Click Groups.
- Click the tile view icon in the upper right of the page.
- The tile view displays groups in your environment.
- The color of each tile indicates if the group is active (green) or inactive (red).
- The time the group has been active is noted in the center of the tile.
- Click the group you want to explore to drilldown to the Analysis Workspace. See Using the Analysis Workspace in Splunk App for Infrastructure.
Monitor group alerts
Investigate the status of alerts for groups you created. View a table of groups with triggered alerts, sort triggered group alerts by fields in the table, and filter the list of groups with triggered alerts by name.
- Go to the Alerts tab.
- Select the Groups view to display the list of groups with triggered alerts.
- (Optional) Sort the table of triggered group alerts by these fields:
- Group name
- Current severity
- Alert count
- Triggered time
- Last triggered metric
- (Optional) Use the search bar to filter groups by name.
- To further investigate an alert for a group you are monitoring:
- Select the group.
- Click the icon and select Investigate. This takes you to the Analysis Workspace for the alert. For more information, see Analyze Entities and Groups with Splunk App for Infrastructure.
Update group settings
Update group settings, including group dimensions and details, fixing errors or changing the scope of a group.
- Go to the Investigate tab.
- Click the Groups button.
- Click the checkbox for the group or groups you want to update or edit.
- Click the Action dropdown for the selected group(s) and click Edit.
- Makes your changes in the filter bar.
Viewing the status of servers in a group
Explore the status of servers in a group to view if they are active or inactive.
- Click the Investigate tab.
- Click Groups to display your list of groups.
- Click a group to drilldown and display in the Analysis Workspace.
- Rollover the Entity Breakdown Indicator to display information about the group. The Entity Breakdown Indicator is the icon to the left of the group name, and displays if servers in the group are active or inactive.
- If less than 20% of servers in your group are active, a green checkmark displays.
- If greater than 20% of servers in your group are inactive, the Entity Breakdown indicator displays as a red exclamation icon.
Delete a group or groups
Delete a group or multiple groups. Deleting a group will only remove the group from the list, and will not delete any of the entities contained in the group.
To delete a single group
- Click the checkbox for the group you want to delete.
- Click Bulk Actions > Delete Selected Groups. Or, you can select the group and Action > Delete.
To delete multiple groups
- Click the checkbox in the Name header, which populates all group checkboxes.
- Click Bulk Actions > Delete Selected Groups. Or, you can select the group and Action > Delete.
About Analytics in the Analysis Workspace in Splunk App for Infrastructure | Glossary of terms for Splunk App for Infrastructure |
This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 1.2.0, 1.2.1, 1.2.2, 1.2.3
Feedback submitted, thanks!