workload_rules.conf
The following are the spec and example files for workload_rules.conf
.
workload_rules.conf.spec
# Version 8.2.12 #
OVERVIEW
# This file contains descriptions of the settings that you can use to # configure workloads classification rules for splunk. # # There is a workload_rules.conf file in the $SPLUNK_HOME/etc/system/default/ directory. # Never change or copy the configuration files in the default directory. # The files in the default directory must remain intact and in their original # location. # # To set custom configurations, create a new file with the name workload_rules.conf in # the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings # that you want to customize to the local configuration file. # For examples, see workload_rules.conf.example. You do not need to restart the Splunk instance # to enable workload_rules.conf configuration changes. # # To learn more about configuration files (including file precedence) see the # documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles #
GLOBAL SETTINGS
# Use the [default] stanza to define any global settings. # * You can also define global settings outside of any stanza, at the top of # the file. # * Each .conf file should have at most one default stanza. If there are # multiple default stanzas, settings are combined. In the case of # multiple definitions of the same setting, the last definition in the # file takes precedence. # * If a setting is defined at both the global level and in a specific # stanza, the value in the specific stanza takes precedence. # # CAUTION: Do not alter the settings in the workload_rules.conf file unless you know # what you are doing. Improperly configured workload rules might result in # splunkd crashes, memory overuse, or both.
[workload_rule:<rule_name>]
predicate = <string> * Specifies the predicate of this workload classification rule. * The format is logical expression with predicate as <type>=<value>. * For example, "app=search AND (NOT role=power)". * The valid <type> are "app", "role", "user", "index", "search_type", "search_mode" and "search_time_range". The <value> is the exact value of the <type>. * For "app" type, the value is the name of the app. For example, "app=search". * For "role" type, the value is the name of the role. For example, "role=admin". * For "index" type, the value is the name of the index. For example, "index=_internal". Note that the value can refer to an internal or public index. * For "user" type, the value is the name of any valid user. For example, "user=bob". Note that the reserved internal user "noboby" is invalid; the reserved internal user "splunk-system-user" is valid. * For "search_type" type, the value is the type of the search. Valid search types include "adhoc", "scheduled", "datamodel_acceleration", "report_acceleration" and "summary_index". * For "search_mode" type, the value is the mode of the search. Valid modes include "realtime" and "historical". * For "search_time_range" type, the value is the time range of the search. For now, value can only be "alltime". * For "runtime" type, the value is the amount of time a search must run in a workload pool to trigger a specified action, such as alert, move or abort. Valid units for runtime values include s, second, seconds, m, minute, minutes, and h, hour, hours. * Required. workload_pool = <string> * Specifies the name of the workload pool, for example "pool1". * The pool name that you specify must already be defined in the [workload_pool:<pool_name>] stanza in workload_pools.conf. action = alert | move | abort * Specifies the action to take when a search exceeds the specified runtime value. * The action "alert" sends a notification message to Splunk Web that indicates the runtime of the search. * The action "move" moves the search from the original workload pool to a designated alternate workload pool, and sends a notification message to Splunk Web. * The action "abort" kills the search, and sends a notification message to Splunk Web. * Optional. schedule = always_on | time_range | every_day | every_week | every_month * Specifies whether the rule is always on or has a valid time range that expires. * Optional. If it's empty, it means the rule is always on. start_time = <string> * When 'schedule' is set to "time_range", 'start_time' specifies the exact time that the valid time range starts, including date, time and time zone. * When 'schedule' is set to "every_week" or "every_month", it specifies the start hour. * Optional. end_time = <string> * When 'schedule' is set to "time_range", 'end_time' specifies the exact time that the valid time range ends, including date, time and time zone. * When 'schedule' is set to "every_week" or "every_month", it specifies the end hour. * Optional. every_week_days = <string> * Specifies recurring days of the week. * Supports numbers from 0 to 6, where 0 represents Sunday. * Only applies when 'schedule' is set to "every_week". * Optional. every_month_days = <string> * Specifies recurring days of the month. * Supports numbers from 1 to 31, where 1 represents the 1st day of the month. * Only applies when 'schedule' is set to "every_month". * Optional. user_message = <string> * Specifies the message shown in the search job inspector if the rule is applied to a search. * Cannot exceed 140 characters. * Optional. disabled = <boolean> * Toggles a workload rule off and on. * Set to "true" to disable a rule. * Default: false
[workload_rules_order]
rules = <string> * List of all workload classification rules. * The format of the "string" is comma separated items, "rule1,rule2,...". * The rules listed are defined in [workload_rule:<rule_name>] stanza. * The order of the rule name in the list determines the priorities of that rule. For example, in "rule1,rule2", rule1 has higher priority than rule2. * The default value for this property is empty, meaning there is no rule defined.
[search_filter_rule:<rule_name>]
predicate = <string> * Specifies the predicate of this workload classification rule. * The format is logical expression with predicate as <type>=<value>. * For example, "app=search AND (NOT role=power)". * The valid <type> are "app", "role", "user", "index", "search_type", "search_mode" and "search_time_range". The <value> is the exact value of the <type>. * For "app" type, the value is the name of the app. For example, "app=search". * For "role" type, the value is the name of the role. For example, "role=admin". * For "index" type, the value is the name of the index. For example, "index=_internal". Note that the value can refer to an internal or public index. * For "user" type, the value is the name of any valid user. For example, "user=bob". Note that the reserved internal user "noboby" is invalid; the reserved internal user "splunk-system-user" is valid. * For "search_type" type, the value is the type of the search. Valid search types include "adhoc", "scheduled", "datamodel_acceleration", "report_acceleration" and "summary_index". * For "search_mode" type, the value is the mode of the search. Valid modes include "realtime" and "historical". * For "search_time_range" type, the value is the time range of the search. For now, value can only be "alltime". * Required. action = filter * Specifies the action to take when a search meets the rule criteria. * The action "filter" is defined for search filter rules. If a search meets the rule criteria, the search is not executed. * Required. schedule = always_on | time_range | every_day | every_week | every_month * Specifies whether the rule is always on or has a valid time range that expires. * Optional. If it's empty, it means the rule is always on. start_time = <string> * When 'schedule' is set to "time_range", 'start_time' specifies the exact time that the valid time range starts, including date, time and time zone. * When 'schedule' is set to "every_week" or "every_month", it specifies the start hour. * Optional. end_time = <string> * When 'schedule' is set to "time_range", 'end_time' specifies the exact time that the valid time range ends, including date, time and time zone. * When 'schedule' is set to "every_week" or "every_month", it specifies the end hour. * Optional. every_week_days = <string> * Specifies recurring days of the week. * Supports numbers from 0 to 6, where 0 represents Sunday. * Only applies when 'schedule' is set to "every_week". * Optional. every_month_days = <string> * Specifies recurring days of the month. * Supports numbers from 1 to 31, where 1 represents the 1st day of the month. * Only applies when 'schedule' is set to "every_month". * Optional. user_message = <string> * Specifies the message when a search is filtered out by this rule. * Cannot exceed 140 characters. * Optional. disabled = <boolean> * Toggles a search filter rule off and on. * Set to "true" to disable a rule. * Default: false
workload_rules.conf.example
[workload_rules_order] rules = my_analyst_rule,my_app_rule,my_user_rule,my_index_rule [workload_rule:my_app_rule] predicate = app=search workload_pool = my_app_pool [workload_rule:my_analyst_rule] predicate = role=analyst workload_pool = my_analyst_pool schedule = always_on [workload_rule:my_user_rule] predicate = user=admin workload_pool = my_user_pool schedule = always_on [workload_rule:my_index_rule] predicate = index=_internal workload_pool = my_index_pool schedule = time_range start_time = 2019-01-01T04:00:00-08:00 end_time = 2019-01-05T04:00:00-08:00 [workload_rule:my_search_type_rule] predicate = search_type=adhoc workload_pool = my_adhoc_pool schedule = every_day start_time = 10 end_time = 15 [workload_rule:my_logical_rule_1] predicate = app=search AND (NOT index=_internal) workload_pool = my_logical_pool_1 schedule = every_week start_time = 10 end_time = 23 every_week_days = [0,4,6] [workload_rule:my_logical_rule_2] predicate = NOT role=power OR user=admin workload_pool = my_logical_pool_2 schedule = every_month start_time = 1 end_time = 2 every_month_days = [1,5,16,31]
workload_pools.conf |
This documentation applies to the following versions of Splunk® Enterprise: 8.2.12
Feedback submitted, thanks!