Splunk® Enterprise

Metrics

Create and edit metric rollup policies with Splunk Web

This topic shows you how to create or edit a metric rollup policy with Splunk Web.

All metric rollup policies created with Splunk Web are created in the context of the Search & Reporting app.

If you want to create metric rollup policies for data in other apps, you need to do so through REST API calls or direct configuration file edits. See:

The Splunk Cloud Platform does not support the metrics rollup feature.

Create a new metric rollup policy for a metric index

Prerequisites

Steps

  1. Select Settings > Indexes to open the Indexes listing page.
  2. Find a metrics index that you want to define a metric rollup policy for and click its Edit link. Metrics indexes that do not have rollup policies have an icon that looks like a measuring stick: This icon looks like a small measuring stick.
  3. Scroll down to the bottom of the Edit dialog. Under Rollup Policy, click Create a new policy.
  4. Define a rollup summary. Select a target index and a time range.
    Setting Description
    Target index This is the metric index that the rollup summary will be stored on. The drop-down displays only metric indexes.
    Time range This setting provides the period of the search that populates the rollup summary with aggregated metric data points.

    The time range is limited to the provided options. You cannot set a time range longer than one day.

  5. (Optional) Click Add another summary to add an additional rollup summary.
  6. (Optional) Define a dimension filter.
    Select either Included Dimensions or Excluded Dimensions. Then click in the dimension field to select one or more dimensions. The dimension list is limited to dimensions that were indexed by the source index in the past 24 hours.
    Setting Description
    Included Dimensions Select to indicate that the listed dimensions are the only dimensions from the source metric that should be in the rollup metric produced by the metric rollup policy. In addition, metrics in the source index that do not have these dimensions will not be rolled up.
    Excluded Dimensions Select to indicate that the rollup metrics produced by the metric rollup policy will have of the dimensions in the source metrics except for the listed dimensions. Source metrics that only have some combination of the excluded dimensions will not be rolled up.
  7. (Optional) Click Add exception rule to define an exception rule.
    An exception rule enables you to override the default aggregation function for a specific metric. Metric rollup policies can have multiple exception rules.
    Setting Description
    Exception Metric Select a metric that needs a different aggregation function from the default. The list displays only metrics that have been indexed by the source index within the past 24 hours.
    Aggregation Select an alternate aggregation function for the metric.
  8. (Optional) Click General Policy to return to the general policy settings.
  9. Click Create policy to save your new policy.
    If you are editing your policy, click Edit policy to save your changes.

On the Indexes listing page, metrics that have a metric rollup policy have an icon that looks two square plates being pushed together, as if to compress something between them: Rolled up metrics index icon.png

Change the default aggregation

When you create metric rollup policies through Splunk Web, they have avg as their default aggregation function. The summary-creating search applies this default aggregation function to the metrics it finds in the source metric index, save those metrics that have exception rules defined for them.

You cannot change this default aggregation function through the UI, but you can change it for specific metric rollup policies if you have access to metric_rollups.conf. See Manage metric rollup policies through configuration files.

Last modified on 14 December, 2022
Roll up metrics data for faster search performance and increased storage capacity   Create and maintain metric rollup policies through the REST API

This documentation applies to the following versions of Splunk® Enterprise: 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters