Splunk® App for Infrastructure (Legacy)

Use Splunk App for Infrastructure

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Using Groups in Splunk App for Infrastructure

Use groups to monitor and analyze performance across multiple hosts, and to quickly find relevant log events for the entire group. When creating a group, logically group hosts together by choosing one or more dimension filters that are common across similar entities. You can also use wildcards, so that you can look across multiple hosts that might match a certain portion of the criteria.

For a video demonstration about using groups, see Video: Monitoring and Investigating Groups of Systems.

Create a group from an entity list

To create a group of entities, select from your list of entities hosts that have similar dimensions to reflect your infrastructure. Logically group these hosts together for troubleshooting and monitoring. You must have multiple entities already added to your instance in order to group them.

  1. Click the Investigate tab to see your list of entities.
  2. Click in the filter bar. Dimensions, or key/value pairs, that you created when configuring agents display in the dropdown list.
    1. When creating groups, multiple values with the same key are treated as an OR condition, values with different keys are treated as an AND condition.
  3. Select the dimensions you want to use to filter your entities into a group.
  4. After selecting filter dimensions for your group, click the star icon/Save as group to the right of the filter bar. The create group dialog displays, with the group name pre-populated. You can edit the group name before saving. Note: A Group name cannot contain a pipe (|) or an equals sign (=).
  5. Click Save to create the group. Your group is saved.
  6. Click View group now to view your list of groups.
  7. Click the Groups button on the upper left to view all of your saved groups.

Using the Analysis Workspace to view and analyze group performance metrics

Use the Analysis Workspace to access a group analysis view and analyze performance metrics across all the entities for a specific group. The Analysis Workspace aggregates performance across all hosts in a group. Determine poor performing entities for a set of metrics, or determine a point in time when multiple entities began performing in a similar way. View what entities are contained in a group from the group navigation dropdown.

Explore the status of a group using the Analysis Workspace.

  1. Click the Investigate tab.
  2. Click Groups to display your list of groups.
  3. Click a group to drilldown and display in the Analysis Workspace.
  4. Click the dropdown arrow next to the group name in the header of the Analysis Workspace to view or search for entities within the group.

Monitor the health of groups using the Infrastructure Overview

Monitor the health of your system using the Infrastructure Overview. This view displays critical information about your groups, such as hostname and IP address of entities, status of your groups (indicated by color), time indicating when status was last updated, or drill down into the Analysis Workspace.

  1. Click the Investigate tab.
  2. Click Groups.
  3. Click the tile view icon in the upper right of the page.
    • The tile view displays groups in your environment.
    • The color of each tile indicates if the group is active (green) or inactive (red).
    • The time the group has been active is noted in the center of the tile.
  4. Click the group you want to explore to drilldown to the Analysis Workspace. See About Analytics in the Analysis Workspace in Splunk App for Infrastructure.

Update group settings

Update group settings, including group dimensions and details, fixing errors or changing the scope of a group.

  1. Click the Investigate tab.
  2. Click the Groups button.
  3. Click the checkbox for the group or groups you want to update or edit.
  4. Click the Action dropdown for the selected group(s) and click Edit.
  5. Makes your changes in the filter bar.

Viewing the status of servers in a group

Explore the status of servers in a group to view if they are active or inactive.

  1. Click the Investigate tab.
  2. Click Groups to display your list of groups.
  3. Click a group to drilldown and display in the Analysis Workspace.
  4. Rollover the Entity Breakdown Indicator to display information about the group. The Entity Breakdown Indicator is the icon to the left of the group name, and displays if servers in the group are active or inactive.
    1. If less than 20% of servers in your group are active, a green checkmark displays.
    2. If greater than 20% of servers in your group are inactive, the Entity Breakdown indicator displays as a red exclamation icon.

Delete a group or groups

Delete a group or multiple groups. Deleting a group will only remove the group from the list, and will not delete any of the entities contained in the group.

To delete a single group

  1. Click the checkbox for the group you want to delete.
  2. Click Bulk Actions > Delete Selected Groups. Or, you can select the group and Action > Delete.

To delete multiple groups

  1. Click the checkbox in the Name header, which populates all group checkboxes.
  2. Click Bulk Actions > Delete Selected Groups. Or, you can select the group and Action > Delete.
Last modified on 20 May, 2021
PREVIOUS
About Analytics in the Analysis Workspace in Splunk App for Infrastructure
  NEXT
Glossary of terms for Splunk App for Infrastructure

This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1 Cloud only, 2.2.0 Cloud only, 2.2.1, 2.2.3 Cloud only, 2.2.4, 2.2.5


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters