Splunk® Enterprise

Metrics

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Manage metric rollup policies with configuration files

If you have access to the configuration files for your deployment, you can manually configure metric rollup policies for your source metric indexes. This method gives you a small amount of extra flexibility that you do not have when designing rollup policies with Splunk Web: You can define a default aggregation function for the metric rollup policy that is not <avg>.

See Roll up metrics data for faster search performance and increased storage capacity for a conceptual overview of metric rollup policies.

You should have already identified or created a source metric index and one or more target metric indexes before you create a metric rollup policy configuration. These indexes must be discoverable on the search head. If you use distributed search you have to create stand-in indexes and set up data forwarding to enable metric rollup policies.

See Index prerequisites for metric rollup policies.

Specify a metric rollup policy stanza in metric_rollups.conf

To configure a metric rollup policy you need to add a stanza to your metric_rollups.conf file.

The configuration syntax for a metric rollup policy stanza is as follows:

[index:<Metric Index Name>]
defaultAggregation = [avg|count|max|median|min|perc<int>|sum]
rollup.<summary number>.rollupIndex = <string Index name>
rollup.<summary number>.span = <time range string>
dimensionList = <comma-separated list of dimensions>
dimensionListType = <excluded/included>
aggregation.<metric_name> = [avg|count|max|median|min|perc<int>|sum]

The following table defines these settings. It explains which settings are required and which are optional.

Setting Value Required? Description Default Value
[index:<Metric Index Name>] Yes A name of a source metric index. This is the stanza header. It names the source metric index to which the metric rollup policy belongs. n/a
defaultAggregation [avg|count|max|median |min|perc<int>|sum] Yes This setting is the aggregation function that the rollup search uses by default when it aggregates the metric data points in the source metric index for a rollup summary. It can be overruled for specific metrics by the aggregation.<metric_name> setting. avg
rollup.<summary number<.rollupIndex <target index name> Yes This setting is one half of a rollup summary definition. Both halves of a rollup summary definition should have the same <summary number>. To be valid, a metric rollup policy stanza must include at least one full rollup summary definition. The <string Index name> is the name of the target metric index where the summary is stored. This setting is required. Do not leave it blank. summary number = 1, string index name = Metric Index Name from header
rollup.<summary number>.span <time range string> Yes This setting is one half of a rollup summary definition. Both halves of a rollup summary definition should have the same <summary number>. A metric rollup policy can have multiple rollup summary definitions. To be valid, a metric rollup policy stanza must include at least one full rollup summary definition. The <time range string> is the period of the scheduled search that populates the rollup summary with rolled up metric data points that are aggregations of metrics in the source index. This setting has a lower boundary that is governed by the minspanallowed setting in limits.conf, which has a default setting of 300 seconds, or five minutes. This setting is required. Do not leave it blank. summary number = 1, time range string = 1h
dimensionList A comma-separated list of dimensions No This optional setting is a comma-separated list of dimensions for a dimension filter. All of the dimensions should appear in metric data points in the source index. Empty string
dimensionListType [included | excluded] No This optional setting provides the dimension filter type. It corresponds with the dimensionListsetting. The allowed values for this setting are excluded and included. Set it to excluded to indicate that the rollup metrics produced by the rollup policy will include all available dimensions except the ones in the dimensionList. Set it to includedto indicate that the rollup metrics produced by the rollup policy will filter out all dimensions except the ones in the dimensionList. excluded
aggregation.<metric_name> [avg|count|max|median |min|perc<int>|sum] No This optional setting provides an exclusion rule for a specific metric_name in the source metric index. Use it to provide a different aggregation function for that metric_name. A metric rollup policy can have multiple exclusion rules as long as they are each for a different metric_name. Do not set up an exclusion rule that uses the same function as the defaultAggregation setting. Empty string

Change the minimum span allowed for a rollup summarization search

The rollup.<summary number>.span setting has a lower boundary that is determined by the minspanallowed limit for the [rollup] stanza in limits.conf. minspanallowed is set to 300 seconds, or 5 minutes, by default. If you provide a span for a rollup summarization search that is lower than minspanallowed, you will see an error message.

This limit is meant to prevent you from setting up rollup summarization searches with a frequency that would likely lead to search concurrency problems, where scheduled searches fail to run when they should because there are too many searches running at once. However, if you need to change this limit, you can. Do not set minspanallowed to a value lower than 60 seconds.

Last modified on 25 September, 2019
Create and edit metric rollup policies with Splunk Web   Visualize metrics in the Splunk Metrics Workspace

This documentation applies to the following versions of Splunk® Enterprise: 7.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters