Splunk® Enterprise

Monitoring Splunk Enterprise

Download manual as PDF

Download topic as PDF

How the Monitoring Console works

This topic lists the files that the Monitoring Console modifies in a Splunk Enterprise filesystem.

These files reside in $SPLUNK_HOME/etc/apps/splunk_monitoring_console/ unless indicated otherwise. This directory contains configuration files in both a default directory and, after Monitoring Console setup, a local directory. See About configuration file directories in the Admin Manual.

File(s) Information contained in file(s) When populated
app.conf Basic information about the Monitoring Console: determines whether it is in distributed mode, and provides a short description for Splunk Web to use in Launcher. See app.conf.spec. By default. Updated when you click Apply changes.
distsearch.conf in etc/system/local Contains stanzas that reference distributed search groups created by the Monitoring Console. The names of these groups are usually prefaced with dmc_group_*. For example: [distributedSearch:dmc_group_cluster_master] When you switch to distributed mode in Monitoring Console setup and click Apply changes
dmc_alerts.conf In some cases, you can edit thresholds in a platform alert without having to directly modify the search string for that alert. For such an alert, the Monitoring Console has a template of the search string, description string, and editable parameters. The template data, which is used in the Monitoring Console Alerts Setup page, is stored here, in stanzas named for the name of the saved search in default/savedsearches.conf. By default
lookups directory Contains two important files:
  • assets.csv lists the instances that the Monitoring Console recognizes and their peer URI (unique name), server name, host, machine (host fqdn), search group (server role, custom group, or cluster). This csv is used by every Monitoring Console dashboard.
  • dmc_forwarder_assets.csv is generated when you enable forwarder monitoring. Enabling forwarder monitoring enables the scheduled search (DMC Forwarder - Build Asset Table) in savedsearches.conf, which populates this .csv file. See Configure forwarder monitoring for the Monitoring Console in this manual.
By default (on initial startup). Updated when you click Apply changes or Rebuild forwarder assets, respectively.
macros.conf Contains two types of macros:
  • Search macros for all Monitoring Console dashboards.
  • Overview page customizations set in Monitoring Console > Settings > Overview preferences.

See macros.conf.spec.

Search macros are stored here by default.

Customizations are set when you edit one and click Save.

props.conf Search-time field extraction and lookup applications and evals. See props.conf.spec. By default
savedsearches.conf Schedules and search strings for platform alerts. The saved search named DMC Forwarder - Build Asset Table runs when you enable forwarder monitoring. By default
splunk_monitoring_console_assets

.conf

This file contains:
  • A list of search peers configured with the Monitoring Console, and any for which you have disabled monitoring.
  • Any search peer identifier that has been overwritten by the Monitoring Console manually during setup, for example host, host_fqdn, indexer cluster labels, or search head cluster labels.
  • Stanzas describing which indexer and search head cluster(s) each search peer is a member of.
When you click "Apply Changes" on Setup > General setup
transforms.conf Lookup definitions for assets.csv and forwarder csv file By default

For more details about dmc_alerts.conf and splunk_monitoring_console_assets.conf, look in $SPLUNK_HOME/etc/apps/splunk_monitoring_console/README.

PREVIOUS
What can the Monitoring Console do?
  NEXT
Multi-instance deployment monitoring console setup steps

This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.3.0, 7.3.1


Comments

Thanks for the comment, Gmackinnon. This is a known issue with PDF conversion of our manuals. One workaround is to print the page to PDF using your browser's File > Print functionality. For me this works well (Chrome browser on Mac).

Andrewb splunk, Splunker
August 19, 2019

This page doesn't print well in the .pdf version. The right column of the table prints into the margin space and off the edge of the paper. The other tables in this doc are OK.

Gmackinnon
August 12, 2019

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters