Splunk® Enterprise

Admin Manual

agent_management.conf

The following are the spec and example files for agent_management.conf.

agent_management.conf.spec

#   Version 9.4.1
#

OVERVIEW


# This file contains descriptions of the settings that you can use to
# configure the Agent Management feature.
#
# There is an agent_management.conf file in the $SPLUNK_HOME/etc/system/default/ directory.
# Never change or copy the configuration files in the default directory.
# The files in the default directory must remain intact and in their original
# location.
#
# To set custom configurations, create a new file with the name agent_management.conf in
# the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings
# that you want to customize to the local configuration file.
# You must restart the Splunk instance to enable configuration changes.
#
# To learn more about configuration files (including file precedence) see the
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

[general]

* Agent Management helper process settings. This stanza must exist.

fallback_to_deployment_server_ui = <boolean>
* Indicates which UI the forwarder_management should use. When set to "false", the forwarder_management uses the agent management UI, When set to "true", the forwarder_management uses the deployment server UI.
* Default: false.

log_level = <string> 
* How verbose the logs are.
* log level = DEBUG | INFO | WARN | ERROR | FATAL
* Default: ERROR.

request_timeout = <string>
* A global request timeout setting that defines how long the Agent Manager processes a request before it times out.
* Valid values are numbers followed by a time unit.
* Valid time units are "ms", "s", "m", "h".
* Default: 90s.

[search_client]

* Agent Management helper process settings for the SPL subsystem.

polling_interval = <string>
* How long the Agent Manager waits between HTTP calls to retrieve search results.
* Valid values are numbers followed by a time unit.
* Valid time units are "ms", "s", "m", "h".
* Default: 500ms.

query_agents_with_error = <string>
* The SPL search that is run to obtain a list of agents with a status of "error".

query_agents_offline = <string>
* The SPL search that is run to obtain a list of offline agents. 

query_agents_updated_config = <string>
* The SPL search that is run to obtain a list of agents with updated configurations.

query_agent_version = <string>
* The SPL search that is run to obtain a list of agents and their corresponding versions.

query_app_summary = <string>
* The SPL search that is run to obtain a summary of the status of each application.

[splunkd_client]

* Agent Management helper process settings that are used for communicating with splunkd.

connection_pool_size = <integer>
* The number of HTTP connections that can be handled simultaneously by the Agent Manager.
* Default: 10

request_timeout = <string>
* A time limit for HTTP requests made by the Agent Manager to splunkd.
* Valid values are numbers followed by a time unit.
* Valid time units are "ms", "s", "m", "h".
* Default: 60s.

connection_keep_alive = <string>
* The maximum amount of time an idle connection made by the Agent Manager to splunkd remains idle before closing.
* Valid values are numbers followed by a time unit.
* Valid time units are "ms", "s", "m", "h".
* Default: 5m.

[settings_sync]

* The Agent Management helper process settings for the settings synchronization subsystem.
* The settings synchronization subsystem periodically obtains the Deployment Server settings.

polling_interval = <string>
* How long the Agent Manager waits between HTTP calls to retrieve the Deployment Server settings.
* Valid values are numbers followed by a time unit.
* Valid time units are "ms", "s", "m", "h".
* Default: 5m.

agent_management.conf.example

#   Version 9.4.1
#
# This is an example agent_management.conf. Use this file to configure the Agent Management
# settings, such as specifying the connection pool size or timeouts.
#
# There is an agent_management.conf file in the $SPLUNK_HOME/etc/system/default/ directory.
# Never change or copy the configuration files in the default directory.
# The files in the default directory must remain intact and in their original
# location.
#
# To set custom configurations, create a new file with the name agent_management.conf in
# the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings
# that you want to customize to the local configuration file.
# You must restart the Splunk instance to enable configuration changes.
#
# To learn more about configuration files (including file precedence) see the
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

[general]
# Indicates which UI the forwarder_management should use. When set to 'false', the forwarder_management uses the agent management UI, When set to 'true', the forwarder_management uses the deployment server UI.
fallback_to_deployment_server_ui = false
# How verbose the logs are.
log_level=ERROR
# A global request timeout setting that defines how long the Agent Manager processes a request before it times out.
request_timeout=90s

[search_client]
# How long the Agent Manager waits between HTTP calls to retrieve search results.
polling_interval = 500ms

# The SPL search that is run to obtain a list of agents with a status of "error".
query_agents_with_error = | tstats latest(data.result) as latestResult where index=_dsappevent by data.clientId, data.appName \
| search latestResult!="Ok" \
| join data.clientId [ tstats dc(data.clientId) where earliest=%d index=_dsphonehome by data.clientId ] \
| stats dc(data.clientId) as count

# The SPL search that is run to obtain a list of offline agents.
query_agents_offline = | tstats min(data.lastPhoneHomeTime) as min_time max(data.lastPhoneHomeTime) as max_time count where index=_dsphonehome earliest=%d by data.clientId \
| eval averagePhoneHomeInterval=(max_time-min_time)/(count-1), seconds=(now()-max_time) \
| eval offlineThresholdSeconds=(1.05*averagePhoneHomeInterval+20) \
| where seconds>offlineThresholdSeconds \
| stats count

# The SPL search that is run to obtain a list of agents with updated configurations.
query_agents_updated_config = | tstats dc(data.clientId) as count where index=_dsappevent earliest=%d \
(data.action="Install" OR data.action="Uninstall") AND data.result="Ok"

# The SPL search that is run to obtain a list of agents and their corresponding versions.
query_agent_version = search index=_dsclient \
| stats latest(data.splunkVersion) as version by data.clientId data.package \
| dedup version data.package \
| table version data.package \
| rename data.package as agentType

# The SPL search that is run to obtain a summary of the status of each application.
query_app_summary = | tstats latest(data.action) as lastAction latest(data.result) as lastResult where index=_dsappevent %s by data.clientId data.appName \
| join data.clientId [ tstats dc(data.clientId) where index=_dsphonehome earliest=%d by data.clientId ] \
| stats count(eval(lastAction="Install" AND lastResult="Ok")) AS installedApplications, count(eval(lastResult!="Ok")) AS failedApplications by data.appName

[splunkd_client]
# The number of HTTP connections that can be handled simultaneously by the Agent Manager.
connection_pool_size = 10
# A time limit for HTTP requests made by the Agent Manager to splunkd.
request_timeout = 60s
# The maximum amount of time an idle connection made by the Agent Manager to splunkd remains idle before closing.
connection_keep_alive = 5m

[settings_sync]
# How long the Agent Manager waits between HTTP calls to retrieve the Deployment Server settings.
polling_interval = 5m

Last modified on 03 April, 2025
About the Splunk Enterprise AMI   alert_actions.conf

This documentation applies to the following versions of Splunk® Enterprise: 9.4.1


Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters