Create and edit metric rollup policies with Splunk Web
This topic shows you how to create or edit a metric rollup policy with Splunk Web.
All metric rollup policies created with Splunk Web are created in the context of the Search & Reporting app.
If you want to create metric rollup policies for data in other apps, you need to do so through REST API calls or direct configuration file edits. See:
- Create and maintain metric rollup policies through the REST API
- Manage metric rollup policies with configuration files
The Splunk Cloud Platform does not support the metrics rollup feature.
Create a new metric rollup policy for a metric index
- See Roll up metrics data for faster search performance and increased storage capacity for a conceptual overview of metric rollup policies.
- A metric rollup policy requires the existence of a source metric index and one or more target metric indexes. These indexes must be discoverable on the search head. See Index prerequisites for metric rollup policies.
- In order to create metric rollup policies with Splunk Web, your role must have the
edit_metrics_rollupcapabilities. See About defining roles with capabilities in Securing Splunk Enterprise.
- Select Settings > Indexes to open the Indexes listing page.
- Find a metrics index that you want to define a metric rollup policy for and click its Edit link. Metrics indexes that do not have rollup policies have an icon that looks like a measuring stick: .
- Scroll down to the bottom of the Edit dialog. Under Rollup Policy, click Create a new policy.
- Define a rollup summary. Select a target index and a time range.
Setting Description Target index This is the metric index that the rollup summary will be stored on. The drop-down displays only metric indexes. Time range This setting provides the period of the search that populates the rollup summary with aggregated metric data points.
- (Optional) Click Add another summary to add an additional rollup summary.
- (Optional) Define a dimension filter.
Select either Included Dimensions or Excluded Dimensions. Then click in the dimension field to select one or more dimensions. The dimension list is limited to dimensions that were indexed by the source index in the past 24 hours.
Setting Description Included Dimensions Select to indicate that the listed dimensions are the only dimensions from the source metric that should be in the rollup metric produced by the metric rollup policy. In addition, metrics in the source index that do not have these dimensions will not be rolled up. Excluded Dimensions Select to indicate that the rollup metrics produced by the metric rollup policy will have of the dimensions in the source metrics except for the listed dimensions. Source metrics that only have some combination of the excluded dimensions will not be rolled up.
- (Optional) Click Add exception rule to define an exception rule.
An exception rule enables you to override the default aggregation function for a specific metric. Metric rollup policies can have multiple exception rules.
Setting Description Exception Metric Select a metric that needs a different aggregation function from the default. The list displays only metrics that have been indexed by the source index within the past 24 hours. Aggregation Select an alternate aggregation function for the metric.
- (Optional) Click General Policy to return to the general policy settings.
- Click Create policy to save your new policy.
If you are editing your policy, click Edit policy to save your changes.
Change the default aggregation
When you create metric rollup policies through Splunk Web, they have
avg as their default aggregation function. The summary-creating search applies this default aggregation function to the metrics it finds in the source metric index, save those metrics that have exception rules defined for them.
You cannot change this default aggregation function through the UI, but you can change it for specific metric rollup policies if you have access to
metric_rollups.conf. See Manage metric rollup policies through configuration files.
Roll up metrics data for faster search performance and increased storage capacity
Create and maintain metric rollup policies through the REST API
This documentation applies to the following versions of Splunk® Enterprise: 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 9.0.0