Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. Click here for the latest version.Download topic as PDF
The following are the spec and example files for
# Version 7.1.6 # # This file sets the default thresholds for Splunk Enterprise's built # in Health Report. # # Feature stanzas contain indicators, and each indicator has two thresholds: # * Yellow: Indicates something is wrong and should be investigated. # * Red: Means that the indicator is effectively not working. # # There is a health.conf in the $SPLUNK_HOME/etc/system/default/ directory. # Never change or copy the configuration files in the default directory. # The files in the default directory must remain intact and in their original # location. # # To set custom configurations, create a new file with the name health.conf in # the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings # that you want to customize to the local configuration file. # # To learn more about configuration files (including precedence), see the # documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
full_health_log_interval = <number> * The amount of time, in seconds, that elapses between each ‘PeriodicHealthReporter=INFO’ log entry. * Default: 30. suppress_status_update_ms = <number> * The minimum amount of time, in milliseconds, that must elapse between an indicator's health status changes. * Changes that occur earlier will be suppressed. * Default: 300.
health_report_period = <number> * The amount of time, in seconds, that elapses between each Clustering health report run. * Default: 20. disabled = [0|1] * A value of 1 disables the clustering feature health check. * Default: 0 (enabled)
suppress_status_update_ms = <number> * The minimum amount of time, in milliseconds, that must elapse between an indicator's health status changes. * Changes that occur earlier will be suppressed. * Default: 300. indicator:<indicator name>:<indicator color> = <number> * There are various indicator names. See your health.conf for the complete list. * There are two valid colors: yellow and red. * These settings should not be adjusted lightly. If the numbers are set too high, you might inadvertently mask serious errors that the Health Report is trying to bring to your attention.
# Version 7.1.6 # # This file contains an example health.conf. Use this file to configure thresholds # for Splunk Enterprise's built in Health Report. # # To use one or more of these configurations, copy the configuration block # into health.conf in $SPLUNK_HOME/etc/system/local/. You must restart # Splunk to enable configurations. [health_reporter] # Every 30 seconds a new ‘PeriodicHealthReporter=INFO’ log entry will be created. full_health_log_interval = 30 # If an indicator’s health status changes before 600 milliseconds elapses, # the status change will be suppressed. suppress_status_update_ms = 600 [clustering] # Clustering health report will run in every 20 seconds. health_report_period = 20 # Enable the clustering feature health check. disabled = 0 [feature:s2s_autolb] # If more than 20% of forwarding destinations have failed, health status changes to yellow. indicator:s2s_connections:yellow = 20 # If more than 70% of forwarding destinations have failed, health status changes to red. indicator:s2s_connections:red = 70
Last modified on 22 January, 2019
This documentation applies to the following versions of Splunk® Enterprise: 7.1.6
Feedback submitted, thanks!