Splunk® Enterprise

Monitoring Splunk Enterprise

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Use Config Assist

Config Assist is a helper package for Splunk Assist that displays indicators that relate to configurations in your Splunk Enterprise deployment. You can use Config Assist to ensure that your Splunk Enterprise deployment configurations conform with Splunk best practice.

The Config Assist page is similar to other Assist pages. Severity cards appear along the top of the page that let you sort available configuration indicators by severity. The overview pane on the left displays indicators based on the filter that you apply using the severity cards. The detail pane on the right displays information about a single indicator, and its contents change depending on what you click in the overview pane.

Indicators appear by severity: "Critical", "Warning", or "Conforming". The definitions for indicator severity are the same in the Config Assist helper page as they are for the general Assist page.

Filter indicators by severity

Complete this procedure to see a filtered list of indicators by severity.

  • On the Config Assist page, click an indicator severity card. The overview pane updates to show indicators that match that severity.

For example, if you want to see critical indicators only, click the Critical indicator severity card. The overview page updates to list only indicators that are currently in a "Critical" status.

Get more information on an indicator

Use this procedure to learn how to get more information about a specific indicator including the steps necessary to get the indicator into a "conforming" state.

  1. (Optional) Click one of the severity cards to filter the overview pane by indicator severity.
  2. Click an indicator in the list. The details pane updates to show information about the indicator, including the following details:
    • Name: The name of the indicator. Typically, this is a shortened concatenation of the configuration file, stanza, and setting name within the configuration file to which this indicator applies.
    • Scope: The scope for the indicator. This is usually the kind of Splunk Enterprise instance to which the indicator applies.
    • File: The Splunk configuration file that this indicator references.
    • Stanza: The stanza within the configuration file that this indicator references.
    • Current: The current value for the configuration setting that this indicator references.
    • Recommended: The value that the setting that this indicator references should have to comform to Splunk best practice.
    • Summary: A summary of the indicator.
    • Setting: Information on how to get the indicator into a "conforming" state.
  3. (Optional) Select the Nodes tab to see a list of Splunk platform instances to which this indicator applies.

Act to remedy an out-of-compliance indicator

You can use Splunk Assist to generate commands that will bring any nodes that have out-of-compliance indicators back into compliance.

  1. Follow the procedure to get more information about an indicator, as described earlier in this topic.
  2. In the details pane for the indicator, Select the Rest API call tab to see a command that you can use from the command line to remedy an indicator that is not in a "conforming" state for a node.
  3. Select the Copy REST API call button to copy the REST command to your computer clipboard.
  4. Paste this command into a terminal window or shell prompt to connect directly to the instance using REST to perform the configuration.

Depending on how you configure your Splunk Enterprise environment, you might need to provide credentials to complete any commands that Config Assist provides.

Last modified on 01 August, 2024
Use Certificate Assist   Troubleshoot problems with Splunk Assist

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters