Considerations when using tsidx namespaces
The Splunk App for NetApp Data ONTAP uses tsidx stats to offer better search acceleration than is possible using either summary indexing or report acceleration. tsidx is similar to summary indexing, in that it allows for dramatically improved performance. When using tsidx stats the Splunk App for NetApp Data ONTAP creates a number of tsidx namespaces that are used to store the summary statistical data used by the dashboards in the app.
Storage requirements for tsidx namespaces
The Splunk App for NetApp Data ONTAP uses tsidx stats to offer better search acceleration than is possible using either summary indexing or report acceleration. Tsidx is similar to summary indexing, in that it allows for dramatically improved performance. When using tsidx stats, the Splunk App for NetApp Data ONTAP creates a number of tsidx namespaces to store the summary statistical data used by the dashboards in the app. Summary data for the Splunk App for NetApp Data ONTAP is stored on the search head, except in a search head pooled environment. In a search head pooled environment, summary data for the Splunk App for NetApp Data ONTAP is stored in shared storage that can be accessed by all search heads.
Defined namespaces
In the Splunk App for NetApp Data ONTAP all performance data is stored in tsidx namespaces. You can see a list of all of the namespaces defined for use by the app in the $SPLUNK_HOME/etc/apps/splunk_app_netapp/default/savedsearches.conf file.
If the tsidx_namespaces are created correctly, then performance data populates the index and this information is used to populate the dashboards with performance data throughout the app.
Setting a retention policy
You can manage the size of the namespace files using a retention policy. A custom retention policy is specified in the $SPLUNK_HOME/etc/apps/<add-on>/(default|local)/tsidx_retention.conf file, where a limit can be put on the size of the tsidx namespaces and a limit can be applied to the length of time that namespaces are retained.
The $SPLUNK_HOME/etc/apps/SA-Utils/default/tsidx_retention.conf file is used to set up a default retention policy for all namespaces. If specific retention policies are not set up for individual namespaces, then the app uses the default value specified in SA-utils, for all namespaces that do not have one specifically defined. To apply the recommended settings, create a local/tsidx_retention.conf file and configure the settings there to set a policy for all namespaces.
To set up a retention policy for specific namespaces in the app, edit the local/tsidx_retention.conf file in each of the add-ons where you want to modify the tsidx namespace retention time. The namespaces in your deployment will be "cleaned up" (purged) whenever these settings are reached. For example, create a $SPLUNK_HOME/etc/apps/splunk_app_netapp/local/tsidx_retention.conf file and uncomment the namespaces that you want to use in the app and the values associated with those namespaces. You can use the default values for the namespaces or modify the settings to values that work in your environment.
Namespaces used in the Splunk App for NetApp Data ONTAP
The Splunk App for NetApp Data ONTAP creates a number of tsidx namespaces that are used to store the summary statistical data used by the dashboards in the app. The tables list the namespaces defined in the app and the attributes associated with each namespace. For each namespace, each table lists the location, the searches that populate the namespace (the Generating search), the search used to identify the fields that store the data in the namespace, and the suggested retention period for the data.
tsidx-perf-aggr-ontap namespace
| Details | Description |
|---|---|
| Location | splunk_app_netapp |
| Generating search | netapp_perf_aggr |
| Schedule | runs every 5 minutes |
| Suggested retention period | 873.6 days |
| Search to populate the fields | sourcetype=ontap:perf source=aggrPerfHandler [stats count |addinfo | eval cutoff=info_max_time-300 | eval prefix="_indextime>" | eval search=prefix+cutoff | table search] | table * | rename _time AS time | fields - _*, punct, index,source,sourcetype,splunk_server | rename time AS _time |
tsidx-perf-disk-ontap namespace
| Details | Description |
|---|---|
| Location | splunk_app_netapp |
| Generating search | netapp_perf_disk |
| Schedule | runs every 5 minutes |
| Suggested retention period | 873.6 days |
| Search to populate the fields | sourcetype=ontap:perf source=diskPerfHandler [stats count |addinfo | eval cutoff=info_max_time-300 | eval prefix="_indextime>" | eval search=prefix+cutoff | table search] | table * | rename _time AS time | fields - _*, punct, index,source,sourcetype,splunk_server | rename time AS _time |
tsidx-perf-lun-ontap namespace
| Details | Description |
|---|---|
| Location | splunk_app_netapp |
| Generating search | netapp_perf_lun |
| Schedule | runs every 5 minutes |
| Suggested retention period | 873.6 days |
| Search to populate the fields | sourcetype=ontap:perf source=lunPerfHandler [stats count |addinfo | eval cutoff=info_max_time-300 | eval prefix="_indextime>" | eval search=prefix+cutoff | table search] | table * | rename _time AS time | fields - _*, punct, index,source,sourcetype,splunk_server | rename time AS _time |
tsidx-perf-qtree-ontap namespace
| Details | Description |
|---|---|
| Location | splunk_app_netapp |
| Generating search | netapp_perf_qtree |
| Schedule | runs every 5 minutes |
| Suggested retention period | 873.6 days |
| Search to populate the fields | sourcetype=ontap:perf source=qtreePerfHandler [stats count |addinfo | eval cutoff=info_max_time-300 | eval prefix="_indextime>" | eval search=prefix+cutoff | table search] | table * | rename _time AS time | fields - _*, punct, index,source,sourcetype,splunk_server | rename time AS _time |
tsidx-perf-system-ontap namespace
| Details | Description |
|---|---|
| Location | splunk_app_netapp |
| Generating search | netapp_perf_system |
| Schedule | runs every 5 minutes |
| Suggested retention period | 873.6 days |
| Search to populate the fields | sourcetype=ontap:perf source=systemPerfHandler [stats count |addinfo | eval cutoff=info_max_time-300 | eval prefix="_indextime>" | eval search=prefix+cutoff | table search] | table * | rename _time AS time | fields - _*, punct, index,source,sourcetype,splunk_server | rename time AS _time |
tsidx-perf-vfiler-ontap namespace
| Details | Description |
|---|---|
| Location | splunk_app_netapp |
| Generating search | netapp_perf_vfiler |
| Schedule | runs every 5 minutes |
| Suggested retention period | 873.6 days |
| Search to populate the fields | sourcetype=ontap:perf source=vfilerPerfHandler [stats count |addinfo | eval cutoff=info_max_time-300 | eval prefix="_indextime>" | eval search=prefix+cutoff | table search] | table * | rename _time AS time | fields - _*, punct, index,source,sourcetype,splunk_server | rename time AS _time |
tsidx-perf-volume-ontap namespace
| Details | Description |
|---|---|
| Location | splunk_app_netapp |
| Generating search | netapp_perf_volume |
| Schedule | runs every 5 minutes |
| Suggested retention period | 873.6 days |
| Search to populate the fields | sourcetype=ontap:perf source=VolumePerfHandler [stats count |addinfo | eval cutoff=info_max_time-300 | eval prefix="_indextime>" | eval search=prefix+cutoff | table search] | table * | rename _time AS time | fields - _*, punct, index,source,sourcetype,splunk_server | rename time AS _time |
| Configure data models | Log in and get started |
This documentation applies to the following versions of Splunk® App for NetApp Data ONTAP (Legacy): 2.0, 2.0.1, 2.0.2, 2.0.3
Download manual
Feedback submitted, thanks!