Create and maintain metric rollup policies through the REST API
When you reach the limit of what you can do with metric rollup policies through Splunk Web, and if you do not have access to the
metric_rollups.conf files for your Splunk implementation, you can create, update, and delete metric rollup policies through manual calls to the
/catalog/metricstore/rollup REST endpoint.
The following prerequisites apply to all of the procedures in this topic.
- For an overview of metric rollup summaries and the policies that govern their creation, see Roll up metrics data for faster search performance and increased storage capacity.
- See the REST API User Manual for a broad overview of Splunk platform REST API concepts.
- The endpoints that are relevant to metric rollup policies are documented in the REST API Reference Manual:
When you create or update your metric rollup policies through REST calls, you can give them optional features that are unavailable in Splunk Web by adding them as POST request parameters in your REST calls to the
/catalog/metricstore/rollup or the
|Optional feature||POST request parameter||Description||How it improves over Splunk Web|
|Provide multiple aggregation functions||
||A list of aggregation functions, separated by
||Metric rollup policies created in Splunk Web are limited to aggregating metrics with |
||These parameters combine to create a filter at the search head that allows certain metrics to be rolled up to the summary but not others. You can designate a set of metric names and then say whether all metrics but those metrics should be excluded or included in the rollup summaries.||In Splunk Web, you cannot design a rollup policy that filters specific metrics out of the resulting rollup summaries.|
|Multiple aggregation functions for metric exclusion rules||
||You can define exclusion rules that specify two or more alternate aggregation functions for a metric. Use this parameter to override the default aggregation for one or more metrics. Each metric override pairs a metric name with one or more aggregation functions separated by
||In Splunk Web, you can only specify one alternate aggregation function for a metric.|
Create metric rollup policies for apps other than Search & Reporting
By default, metric rollup policies that you create with Splunk Web are given the context of the Search & Reporting app. However, with a REST API call, you can create metric rollup policies in the context of any app you prefer.
To do this, use the
/catalog/metricstore/rollup endpoint and embed the app folder name in the endpoint URL. Follow this syntax:
This generates a metric rollup policy in the context of the named app. If you omit the app name, the Splunk platform defaults to
search, for the Search and Reporting app.
You cannot designate specific owners for metric rollup policies. If you try to designate one, the system will reset its ownership to "nobody," meaning that it is shared by all users.
Here is an example of a REST call that creates a metric rollup policy for a Buttercup Games app. The metric rollup policy summarizes data on a source index named index_s and places it in two summaries on two target indexes.
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/buttercupgames/catalog/metricstore/rollup -d name=index_s -d default_agg=avg#max -d dimension_list="app,region" -d dimension_list_type=included -d metric_overrides="foo2|count#avg,foo1|min#avg" -d summaries="1h|index_d_1h,1d|index_d_1d" -d metric_list="foo3,foo4" -d metric_list_type=excluded
For details about the POST request parameters in this REST call, see the entry for the catalog/metricstore/rollup endpoint in the REST API Reference Manual.
Create and edit metric rollup policies with Splunk Web
Manage metric rollup policies with configuration files
This documentation applies to the following versions of Splunk® Enterprise: 8.0.4, 8.0.5