Manage metric rollup policies with configuration files
If you have access to the configuration files for your deployment, you can manually configure metric rollup policies for your source metric indexes. This method gives you a small amount of extra flexibility that you do not have when designing rollup policies with Splunk Web: You can define a default aggregation function for the metric rollup policy that is not <avg>.
See Roll up metrics data for faster search performance and increased storage capacity for a conceptual overview of metric rollup policies.
You should have already identified or created a source metric index and one or more target metric indexes before you create a metric rollup policy configuration. These indexes must be discoverable on the search head. If you use distributed search you have to create stand-in indexes and set up data forwarding to enable metric rollup policies.
See Index prerequisites for metric rollup policies.
Specify a metric rollup policy stanza in metric_rollups.conf
To configure a metric rollup policy you need to add a stanza to your metric_rollups.conf file.
The configuration syntax for a metric rollup policy stanza is as follows:
[index:<Metric Index Name>] defaultAggregation = [avg|count|max|median|min|perc<int>|sum] rollup.<summary number>.rollupIndex = <string Index name> rollup.<summary number>.span = <time range string> dimensionList = <comma-separated list of dimensions> dimensionListType = <excluded/included> aggregation.<metric_name> = [avg|count|max|median|min|perc<int>|sum]
The following table defines these settings. It explains which settings are required and which are optional.
| Setting | Value | Required? | Description | Default Value |
|---|---|---|---|---|
[index:<Metric Index Name>]
|
Yes | A name of a source metric index. | This is the stanza header. It names the source metric index to which the metric rollup policy belongs. | n/a |
defaultAggregation
|
[avg|count|max|median |min|perc<int>|sum]
|
Yes | This setting is the aggregation function that the rollup search uses by default when it aggregates the metric data points in the source metric index for a rollup summary. It can be overruled for specific metrics by the aggregation.<metric_name> setting.
|
avg
|
rollup.<summary number<.rollupIndex
|
<target index name>
|
Yes | This setting is one half of a rollup summary definition. Both halves of a rollup summary definition should have the same <summary number>. To be valid, a metric rollup policy stanza must include at least one full rollup summary definition. The <string Index name> is the name of the target metric index where the summary is stored. This setting is required. Do not leave it blank.
|
summary number = 1, string index name = Metric Index Name from header
|
rollup.<summary number>.span
|
<time range string>
|
Yes | This setting is one half of a rollup summary definition. Both halves of a rollup summary definition should have the same <summary number>. A metric rollup policy can have multiple rollup summary definitions. To be valid, a metric rollup policy stanza must include at least one full rollup summary definition. The <time range string> is the period of the scheduled search that populates the rollup summary with rolled up metric data points that are aggregations of metrics in the source index. This setting has a lower boundary that is governed by the minspanallowed setting in limits.conf, which has a default setting of 300 seconds, or five minutes. This setting is required. Do not leave it blank.
|
summary number = 1, time range string = 1h
|
dimensionList
|
A comma-separated list of dimensions | No | This optional setting is a comma-separated list of dimensions for a dimension filter. All of the dimensions should appear in metric data points in the source index. | Empty string |
dimensionListType
|
[included | excluded]
|
No | This optional setting provides the dimension filter type. It corresponds with the dimensionListsetting. The allowed values for this setting are excluded and included. Set it to excluded to indicate that the rollup metrics produced by the rollup policy will include all available dimensions except the ones in the dimensionList. Set it to includedto indicate that the rollup metrics produced by the rollup policy will filter out all dimensions except the ones in the dimensionList.
|
excluded
|
aggregation.<metric_name>
|
[avg|count|max|median |min|perc<int>|sum]
|
No | This optional setting provides an exclusion rule for a specific metric_name in the source metric index. Use it to provide a different aggregation function for that metric_name. A metric rollup policy can have multiple exclusion rules as long as they are each for a different metric_name. Do not set up an exclusion rule that uses the same function as the defaultAggregation setting.
|
Empty string |
Change the minimum span allowed for a rollup summarization search
The rollup.<summary number>.span setting has a lower boundary that is determined by the minspanallowed limit for the [rollup] stanza in limits.conf. minspanallowed is set to 300 seconds, or 5 minutes, by default. If you provide a span for a rollup summarization search that is lower than minspanallowed, you will see an error message.
This limit is meant to prevent you from setting up rollup summarization searches with a frequency that would likely lead to search concurrency problems, where scheduled searches fail to run when they should because there are too many searches running at once. However, if you need to change this limit, you can. Do not set minspanallowed to a value lower than 60 seconds.
| Create and edit metric rollup policies with Splunk Web | Visualize metrics in the Splunk Metrics Workspace |
This documentation applies to the following versions of Splunk® Enterprise: 7.3.0
Download manual
Feedback submitted, thanks!