Splunk® Enterprise

Admin Manual

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

workload_rules.conf

The following are the spec and example files for workload_rules.conf.

workload_rules.conf.spec

   Version 7.3.6

OVERVIEW


 This file contains descriptions of the settings that you can use to
 configure workloads classification rules for splunk.

 There is a workload_rules.conf file in the $SPLUNK_HOME/etc/system/default/ directory.
 Never change or copy the configuration files in the default directory.
 The files in the default directory must remain intact and in their original
 location.

 To set custom configurations, create a new file with the name workload_rules.conf in
 the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings
 that you want to customize to the local configuration file.
 For examples, see workload_rules.conf.example. You do not need to restart the Splunk instance
 to enable workload_rules.conf configuration changes.

 To learn more about configuration files (including file precedence) see the
 documentation located at
 http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

GLOBAL SETTINGS


 Use the [default] stanza to define any global settings.
   * You can also define global settings outside of any stanza, at the top of
     the file.
   * Each .conf file should have at most one default stanza. If there are
     multiple default stanzas, settings are combined. In the case of
     multiple definitions of the same setting, the last definition in the
     file takes precedence.
   * If a setting is defined at both the global level and in a specific
     stanza, the value in the specific stanza takes precedence.

 CAUTION: Do not alter the settings in the workload_rules.conf file unless you know
     what you are doing.  Improperly configured workload rules might result in
     splunkd crashes, memory overuse, or both.

[workload_rule:<rule_name>]

predicate = <string>
* Specifies the predicate of this workload classification rule.
* The format is logical expression with predicate as <type>=<value>.
* For example, "app=search AND (NOT role=power)".
* The valid <type> are "app", "role", "user", and
  "index". The <value> is the exact value of the <type>.
* For "app" type, the value is the name of the app. For example, "app=search".
* For "role" type, the value is the name of the role. For example, "role=admin".
* For "index" type, the value is the name of the index. For example,
  "index=_internal". Note that the value can refer to an internal or public index.
* For "user" type, the value is the name of any valid user. For example,
  "user=bob". Note that the reserved internal user "noboby" is invalid; the
  reserved internal user "splunk-system-user" is valid.
* Required.

workload_pool = <string>
* Specifies the name of the workload pool, for example "pool1".
* The pool name specified must be defined earlier through [workload_pool:<pool_name>] stanza in
  workload_pools.conf.
* Required

[workload_rules_order]

rules = <string>
* List of all workload classification rules.
* The format of the "string" is comma separated items, "rule1,rule2,...".
* The rules listed are defined in [workload_rule:<rule_name>] stanza.
* The order of the rule name in the list determines the priorities of that rule.
  For example, in "rule1,rule2", rule1 has higher priority than rule2.
* The default value for this property is empty, meaning there is no rule defined.


workload_rules.conf.example

[workload_rules_order]
rules = my_analyst_rule,my_app_rule,my_user_rule,my_index_rule

[workload_rule:my_app_rule]
predicate = app=search
workload_pool = my_app_pool

[workload_rule:my_analyst_rule]
predicate = role=analyst
workload_pool = my_analyst_pool

[workload_rule:my_user_rule]
predicate = user=admin
workload_pool = my_user_pool

[workload_rule:my_index_rule]
predicate = index=_internal
workload_pool = my_index_pool

[workload_rule:my_logical_rule_1]
predicate = app=search AND (NOT index=_internal)
workload_pool = my_logical_pool_1

[workload_rule:my_logical_rule_2]
predicate = NOT role=power OR user=admin
workload_pool = my_logical_pool_2

Last modified on 29 May, 2020
workload_pools.conf  

This documentation applies to the following versions of Splunk® Enterprise: 7.3.6


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters