Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. Click here for the latest version.Download topic as PDF
The following are the spec and example files for
Version 7.3.2 This file contains possible attribute/value pairs for rollup policy entries in metric_rollups.conf. You can configure rollup policies by creating your own metric_rollups.conf. There is a default metric_rollups.conf in $SPLUNK_HOME/etc/system/default. To set custom configurations, place a metric_rollups.conf in $SPLUNK_HOME/etc/system/local/. For examples, see metric_rollups.conf.example. You must restart Splunk to enable configurations. To learn more about configuration files (including precedence) please see the documentation located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
Use the [default] stanza to define any global settings. * You can also define global settings outside of any stanza, at the top of the file. * Each conf file should have at most one default stanza. If there are multiple default stanzas, attributes are combined. In the case of multiple definitions of the same attribute, the last definition in the file wins. * If an attribute is defined at both the global level and in a specific stanza, the value in the specific stanza takes precedence. ******* The possible attribute/value pairs for metric_rollups.conf are: *******
[index:<Metric Index Name>]
* Each metric_rollups.conf stanza defines the rollup summarization policy for a specific metric index. * A rollup policy can include multiple rollup summaries, each with a different rollup period. * Go to indexes.conf to find metric index configurations. Metric indexes have datatype=metric in their configurations. defaultAggregation = <'' separated list of aggregation functions> * Required. The default aggregation function for the rollup policy. The Splunk software uses this aggregation function to generate the rollup summmary data points for all metrics in the source index with the exception of metrics that are identified by 'aggregation.<metric_name>' exclusion rules. * For example, if a rollup summary with a period of 1 hour has 'defaultAggregation = avg', each metric data point that it generates is the average of an hour of data points from the source metric. * Note that the 'perc' and 'upperperc' options require an integer. * Supported aggregation functions: [avg|count|max|median|min|perc<int>|sum] * Default: avg dimensionList = <comma-separated list of dimensions> * Optional. This setting provides a comma-separated list of dimensions. The dimensions must be present within the index to which the rollup policy applies. * This list corresponds to the `dimensionListType` setting, which determines whether this set of dimensions is included or excluded from the rollup metrics that are generated by the rollup summary. * Use the Metrics Catalog REST API endpoints to see the metrics and dimensions for a particular index. For more information see the REST API Reference Manual. * Default: None dimensionListType = <excluded/included> * Optional. This setting determines whether the list of dimensions specified by the `dimensionList` setting is included or excluded from the rollup metrics that are generated by the rollup summaries in the rollup policy. * Select 'included' to indicate that the rollup metrics produced by the rollup policy will filter out all dimensions except the ones in the list. * Select 'excluded' to indicate that the rollup metrics produced by the rollup policy will include all available dimensions except the ones in the list. * Default: excluded metricList = <comma-separated list of metrics> * Optional. This setting provides a comma-separated list of metrics. * This list corresponds to the 'metricListType' setting. * The listed metrics must be present within the source metric index. * Use the Metrics Catalog REST API endpoints in conjunction with the 'rest' command to see the metrics that exist within a particular source index. See the REST API Reference Manual and the Search Reference for more information. * Default: None (the setting is not set) metricListType = <excluded/included> * Optional. This setting determines whether the list of metrics specified by the 'metricList' setting is included or excluded when the search head rolls metrics up to the rollup summaries. * Select "included" to have the search head roll up only the listed metrics. * Select "excluded" to have the search head roll up all available metrics in the source metric index except the listed metrics. * Default: excluded aggregation.<metric_name> = <'' separated list of aggregation functions> * Optional. Sets an exclusion rule for a rollup policy. Use this setting to override the 'defaultAggregation' setting for a specific metric. * Create exclusion rules for metrics that require different aggregation functions than the majority of the metrics in a rollup policy. * A single rollup policy can have multiple exclusion rules. * Supported aggregation functions: [avg|count|max|median|min|perc<int>|sum] * Default: no values rollup.<summary number>.span = <time range string> * Required for each rollup summary in the rollup policy. * The Splunk software defines the '<summary number>' when you create a summary policy through Splunk Web or the REST API endpoint. * Defines the rollup period for a rollup summary. * The '<time range string>' cannot be shorter than the 'minSpanAllowed' setting in limits.conf. * This setting is required. Do not leave it blank. * Default for <summary number>: 1 * Default for <time range string>: 1h rollup.<summary number>.rollupIndex = <string Index name> * Required for each rollup summary in the rollup policy. * Defines the target index for the rollup metrics generated by a rollup summary. * The Splunk software defines the '<summary number>' when you create a summary policy through Splunk Web or the REST API endpoint. * The index name must exist in indexes.conf. * This setting is required. Do not leave it blank. * Default for <summary number>: 1 * Default for <string Index name>: The <Metric Index Name> in the stanza header for this rollup policy.
# Version 7.3.2 # # This file contains example saved searches and alerts. # # To use one or more of these configurations, copy the configuration block into # metric_rollups.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk # to enable configurations. # # To learn more about configuration files (including precedence) please see the # documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles # The following searches are example searches. To create your own search, # modify the values by following the spec outlined in metric_rollups.conf.spec. [index:mySourceMetricIndex] # defaultAggregation is applied to all the measures/metric names unless overided defaultAggregation = avg # Override metric_name_1 aggregation from avg to min aggregation.metric_name_1 = min # Override metric_name_2 aggregation from avg to count aggregation.metric_name_2 = count # Exclude dimension_1 and dimension_2 during rollup dimensionList = dimension_1, dimension_2 dimensionListType = excluded # All the above settings applies globally to all the summary definitions below # Each summary here specifies the target index and span # Two summaries definied, need to define each summary as rollup.<0, 1, 2..>... rollup.0.rollupIndex = myTargetMetricIndex_0 rollup.0.span = 1h rollup.1.rollupIndex = myTargetMetricIndex_1 rollup.1.span = 1d # Exclude metric_1 and metric_2 during rollup metricList = metric_1, metric_2 metricListType = excluded
Last modified on 17 September, 2019
This documentation applies to the following versions of Splunk® Enterprise: 7.3.2
Feedback submitted, thanks!