Splunk® Enterprise

Monitoring Splunk Enterprise

Splunk Enterprise version 8.2 is no longer supported as of September 30, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

How the Monitoring Console works

This topic lists the files that the Monitoring Console modifies in a Splunk Enterprise filesystem.

These files reside in $SPLUNK_HOME/etc/apps/splunk_monitoring_console/ unless indicated otherwise. This directory contains configuration files in both a default directory and, after Monitoring Console setup, a local directory. See About configuration file directories in the Admin Manual.

File(s) Information contained in file(s) When populated
app.conf Basic information about the Monitoring Console: determines whether it is in distributed mode, and provides a short description for Splunk Web to use in Launcher. See app.conf.spec. By default. Updated when you click Apply changes.
distsearch.conf in etc/system/local Contains stanzas that reference distributed search groups created by the Monitoring Console. The names of these groups are usually prefaced with dmc_group_*. For example: [distributedSearch:dmc_group_cluster_manager] When you switch to distributed mode in Monitoring Console setup and click Apply changes
dmc_alerts.conf In some cases, you can edit thresholds in a platform alert without having to directly modify the search string for that alert. For such an alert, the Monitoring Console has a template of the search string, description string, and editable parameters. The template data, which is used in the Monitoring Console Alerts Setup page, is stored here, in stanzas named for the name of the saved search in default/savedsearches.conf. By default
lookups directory Contains two important files:
  • assets.csv lists the instances that the Monitoring Console recognizes and their peer URI (unique name), server name, host, machine (host fqdn), search group (server role, custom group, or cluster). This csv is used by every Monitoring Console dashboard.
  • dmc_forwarder_assets.csv is generated when you enable forwarder monitoring. Enabling forwarder monitoring enables the scheduled search (DMC Forwarder - Build Asset Table) in savedsearches.conf, which populates this .csv file. See Configure forwarder monitoring for the Monitoring Console in this manual.
By default (on initial startup). Updated when you click Apply changes or Rebuild forwarder assets, respectively.
macros.conf Contains two types of macros:
  • Search macros for all Monitoring Console dashboards.
  • Overview page customizations set in Monitoring Console > Settings > Overview preferences.

See macros.conf.spec.

Search macros are stored here by default.

Customizations are set when you edit one and click Save.

props.conf Search-time field extraction and lookup applications and evals. See props.conf.spec. By default
savedsearches.conf Schedules and search strings for platform alerts. The saved search named DMC Forwarder - Build Asset Table runs when you enable forwarder monitoring. By default
splunk_monitoring_console_assets

.conf

This file contains:
  • A list of search peers configured with the Monitoring Console, and any for which you have disabled monitoring.
  • Any search peer identifier that has been overwritten by the Monitoring Console manually during setup, for example host, host_fqdn, indexer cluster labels, or search head cluster labels.
  • Stanzas describing which indexer and search head cluster(s) each search peer is a member of.
When you click "Apply Changes" on Setup > General setup
transforms.conf Lookup definitions for assets.csv and forwarder csv file By default

For more details about dmc_alerts.conf and splunk_monitoring_console_assets.conf, look in $SPLUNK_HOME/etc/apps/splunk_monitoring_console/README.

Last modified on 19 March, 2022
What can the Monitoring Console do?   Troubleshoot with integrated Splunk deployment health report

This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters