Splunk® App for NetApp Data ONTAP (Legacy)

Deploy and Use the Splunk App for NetApp Data ONTAP

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® App for NetApp Data ONTAP (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Considerations when using tsidx namespaces

The Splunk App for NetApp Data ONTAP uses tsidx stats to offer better search acceleration than is possible using either summary indexing or report acceleration. tsidx is similar to summary indexing, in that it allows for dramatically improved performance. When using tsidx stats the Splunk App for NetApp Data ONTAP creates a number of tsidx namespaces that are used to store the summary statistical data used by the dashboards in the app.

Storage requirements for tsidx namespaces

The Splunk App for NetApp Data ONTAP uses tsidx stats to offer better search acceleration than is possible using either summary indexing or report acceleration. Tsidx is similar to summary indexing, in that it allows for dramatically improved performance. When using tsidx stats, the Splunk App for NetApp Data ONTAP creates a number of tsidx namespaces to store the summary statistical data used by the dashboards in the app. Summary data for the Splunk App for NetApp Data ONTAP is stored on the search head, except in a search head pooled environment. In a search head pooled environment, summary data for the Splunk App for NetApp Data ONTAP is stored in shared storage that can be accessed by all search heads.

Defined namespaces

In the Splunk App for NetApp Data ONTAP all performance data is stored in tsidx namespaces. You can see a list of all of the namespaces defined for use by the app in the $SPLUNK_HOME/etc/apps/splunk_app_netapp/default/savedsearches.conf file. If the tsidx_namespaces are created correctly, then performance data populates the index and this information is used to populate the dashboards with performance data throughout the app.

Setting a retention policy

You can manage the size of the namespace files using a retention policy. A custom retention policy is specified in the $SPLUNK_HOME/etc/apps/<add-on>/(default|local)/tsidx_retention.conf file, where a limit can be put on the size of the tsidx namespaces and a limit can be applied to the length of time that namespaces are retained.

The $SPLUNK_HOME/etc/apps/SA-Utils/default/tsidx_retention.conf file is used to set up a default retention policy for all namespaces. If specific retention policies are not set up for individual namespaces, then the app uses the default value specified in SA-utils, for all namespaces that do not have one specifically defined. To apply the recommended settings, create a local/tsidx_retention.conf file and configure the settings there to set a policy for all namespaces.

To set up a retention policy for specific namespaces in the app, edit the local/tsidx_retention.conf file in each of the add-ons where you want to modify the tsidx namespace retention time. The namespaces in your deployment will be "cleaned up" (purged) whenever these settings are reached. For example, create a $SPLUNK_HOME/etc/apps/splunk_app_netapp/local/tsidx_retention.conf file and uncomment the namespaces that you want to use in the app and the values associated with those namespaces. You can use the default values for the namespaces or modify the settings to values that work in your environment.

Namespaces used in the Splunk App for NetApp Data ONTAP

The Splunk App for NetApp Data ONTAP creates a number of tsidx namespaces that are used to store the summary statistical data used by the dashboards in the app. The tables list the namespaces defined in the app and the attributes associated with each namespace. For each namespace, each table lists the location, the searches that populate the namespace (the Generating search), the search used to identify the fields that store the data in the namespace, and the suggested retention period for the data.

tsidx-perf-aggr-ontap namespace

Details Description
Location splunk_app_netapp
Generating search netapp_perf_aggr
Schedule runs every 5 minutes
Suggested retention period 873.6 days
Search to populate the fields sourcetype=ontap:perf source=aggrPerfHandler [stats count |addinfo | eval cutoff=info_max_time-300 | eval prefix="_indextime>" | eval search=prefix+cutoff | table search] | table * | rename _time AS time | fields - _*, punct, index,source,sourcetype,splunk_server | rename time AS _time


tsidx-perf-disk-ontap namespace

Details Description
Location splunk_app_netapp
Generating search netapp_perf_disk
Schedule runs every 5 minutes
Suggested retention period 873.6 days
Search to populate the fields sourcetype=ontap:perf source=diskPerfHandler [stats count |addinfo | eval cutoff=info_max_time-300 | eval prefix="_indextime>" | eval search=prefix+cutoff | table search] | table * | rename _time AS time | fields - _*, punct, index,source,sourcetype,splunk_server | rename time AS _time

tsidx-perf-lun-ontap namespace

Details Description
Location splunk_app_netapp
Generating search netapp_perf_lun
Schedule runs every 5 minutes
Suggested retention period 873.6 days
Search to populate the fields sourcetype=ontap:perf source=lunPerfHandler [stats count |addinfo | eval cutoff=info_max_time-300 | eval prefix="_indextime>" | eval search=prefix+cutoff | table search] | table * | rename _time AS time | fields - _*, punct, index,source,sourcetype,splunk_server | rename time AS _time

tsidx-perf-qtree-ontap namespace

Details Description
Location splunk_app_netapp
Generating search netapp_perf_qtree
Schedule runs every 5 minutes
Suggested retention period 873.6 days
Search to populate the fields sourcetype=ontap:perf source=qtreePerfHandler [stats count |addinfo | eval cutoff=info_max_time-300 | eval prefix="_indextime>" | eval search=prefix+cutoff | table search] | table * | rename _time AS time | fields - _*, punct, index,source,sourcetype,splunk_server | rename time AS _time

tsidx-perf-system-ontap namespace

Details Description
Location splunk_app_netapp
Generating search netapp_perf_system
Schedule runs every 5 minutes
Suggested retention period 873.6 days
Search to populate the fields sourcetype=ontap:perf source=systemPerfHandler [stats count |addinfo | eval cutoff=info_max_time-300 | eval prefix="_indextime>" | eval search=prefix+cutoff | table search] | table * | rename _time AS time | fields - _*, punct, index,source,sourcetype,splunk_server | rename time AS _time

tsidx-perf-vfiler-ontap namespace

Details Description
Location splunk_app_netapp
Generating search netapp_perf_vfiler
Schedule runs every 5 minutes
Suggested retention period 873.6 days
Search to populate the fields sourcetype=ontap:perf source=vfilerPerfHandler [stats count |addinfo | eval cutoff=info_max_time-300 | eval prefix="_indextime>" | eval search=prefix+cutoff | table search] | table * | rename _time AS time | fields - _*, punct, index,source,sourcetype,splunk_server | rename time AS _time

tsidx-perf-volume-ontap namespace

Details Description
Location splunk_app_netapp
Generating search netapp_perf_volume
Schedule runs every 5 minutes
Suggested retention period 873.6 days
Search to populate the fields sourcetype=ontap:perf source=VolumePerfHandler [stats count |addinfo | eval cutoff=info_max_time-300 | eval prefix="_indextime>" | eval search=prefix+cutoff | table search] | table * | rename _time AS time | fields - _*, punct, index,source,sourcetype,splunk_server | rename time AS _time
Last modified on 21 August, 2015
PREVIOUS
Configure data models 		  NEXT
Upgrade

This documentation applies to the following versions of Splunk® App for NetApp Data ONTAP (Legacy): 2.0, 2.0.1, 2.0.2, 2.0.3

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters