agent_management.conf

The following are the spec and example files for agent_management.conf.

agent_management.conf.spec

#   Version 9.4.1
#

OVERVIEW

# This file contains descriptions of the settings that you can use to
# configure the Agent Management feature.
#
# There is an agent_management.conf file in the $SPLUNK_HOME/etc/system/default/ directory.
# Never change or copy the configuration files in the default directory.
# The files in the default directory must remain intact and in their original
# location.
#
# To set custom configurations, create a new file with the name agent_management.conf in
# the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings
# that you want to customize to the local configuration file.
# You must restart the Splunk instance to enable configuration changes.
#
# To learn more about configuration files (including file precedence) see the
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

[general]

* Agent Management helper process settings. This stanza must exist.

fallback_to_deployment_server_ui = <boolean>
* Indicates which UI the forwarder_management should use. When set to "false", the forwarder_management uses the agent management UI, When set to "true", the forwarder_management uses the deployment server UI.
* Default: false.

log_level = <string> 
* How verbose the logs are.
* log level = DEBUG | INFO | WARN | ERROR | FATAL
* Default: ERROR.

request_timeout = <string>
* A global request timeout setting that defines how long the Agent Manager processes a request before it times out.
* Valid values are numbers followed by a time unit.
* Valid time units are "ms", "s", "m", "h".
* Default: 90s.

[search_client]

* Agent Management helper process settings for the SPL subsystem.

polling_interval = <string>
* How long the Agent Manager waits between HTTP calls to retrieve search results.
* Valid values are numbers followed by a time unit.
* Valid time units are "ms", "s", "m", "h".
* Default: 500ms.

query_agents_with_error = <string>
* The SPL search that is run to obtain a list of agents with a status of "error".

query_agents_offline = <string>
* The SPL search that is run to obtain a list of offline agents. 

query_agents_updated_config = <string>
* The SPL search that is run to obtain a list of agents with updated configurations.

query_agent_version = <string>
* The SPL search that is run to obtain a list of agents and their corresponding versions.

query_app_summary = <string>
* The SPL search that is run to obtain a summary of the status of each application.

[splunkd_client]

* Agent Management helper process settings that are used for communicating with splunkd.

connection_pool_size = <integer>
* The number of HTTP connections that can be handled simultaneously by the Agent Manager.
* Default: 10

request_timeout = <string>
* A time limit for HTTP requests made by the Agent Manager to splunkd.
* Valid values are numbers followed by a time unit.
* Valid time units are "ms", "s", "m", "h".
* Default: 60s.

connection_keep_alive = <string>
* The maximum amount of time an idle connection made by the Agent Manager to splunkd remains idle before closing.
* Valid values are numbers followed by a time unit.
* Valid time units are "ms", "s", "m", "h".
* Default: 5m.

[settings_sync]

* The Agent Management helper process settings for the settings synchronization subsystem.
* The settings synchronization subsystem periodically obtains the Deployment Server settings.

polling_interval = <string>
* How long the Agent Manager waits between HTTP calls to retrieve the Deployment Server settings.
* Valid values are numbers followed by a time unit.
* Valid time units are "ms", "s", "m", "h".
* Default: 5m.

agent_management.conf.example

#   Version 9.4.1
#
# This is an example agent_management.conf. Use this file to configure the Agent Management
# settings, such as specifying the connection pool size or timeouts.
#
# There is an agent_management.conf file in the $SPLUNK_HOME/etc/system/default/ directory.
# Never change or copy the configuration files in the default directory.
# The files in the default directory must remain intact and in their original
# location.
#
# To set custom configurations, create a new file with the name agent_management.conf in
# the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings
# that you want to customize to the local configuration file.
# You must restart the Splunk instance to enable configuration changes.
#
# To learn more about configuration files (including file precedence) see the
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

[general]
# Indicates which UI the forwarder_management should use. When set to 'false', the forwarder_management uses the agent management UI, When set to 'true', the forwarder_management uses the deployment server UI.
fallback_to_deployment_server_ui = false
# How verbose the logs are.
log_level=ERROR
# A global request timeout setting that defines how long the Agent Manager processes a request before it times out.
request_timeout=90s

[search_client]
# How long the Agent Manager waits between HTTP calls to retrieve search results.
polling_interval = 500ms

# The SPL search that is run to obtain a list of agents with a status of "error".
query_agents_with_error = | tstats latest(data.result) as latestResult where index=_dsappevent by data.clientId, data.appName \
| search latestResult!="Ok" \
| join data.clientId [ tstats dc(data.clientId) where earliest=%d index=_dsphonehome by data.clientId ] \
| stats dc(data.clientId) as count

# The SPL search that is run to obtain a list of offline agents.
query_agents_offline = | tstats min(data.lastPhoneHomeTime) as min_time max(data.lastPhoneHomeTime) as max_time count where index=_dsphonehome earliest=%d by data.clientId \
| eval averagePhoneHomeInterval=(max_time-min_time)/(count-1), seconds=(now()-max_time) \
| eval offlineThresholdSeconds=(1.05*averagePhoneHomeInterval+20) \
| where seconds>offlineThresholdSeconds \
| stats count

# The SPL search that is run to obtain a list of agents with updated configurations.
query_agents_updated_config = | tstats dc(data.clientId) as count where index=_dsappevent earliest=%d \
(data.action="Install" OR data.action="Uninstall") AND data.result="Ok"

# The SPL search that is run to obtain a list of agents and their corresponding versions.
query_agent_version = search index=_dsclient \
| stats latest(data.splunkVersion) as version by data.clientId data.package \
| dedup version data.package \
| table version data.package \
| rename data.package as agentType

# The SPL search that is run to obtain a summary of the status of each application.
query_app_summary = | tstats latest(data.action) as lastAction latest(data.result) as lastResult where index=_dsappevent %s by data.clientId data.appName \
| join data.clientId [ tstats dc(data.clientId) where index=_dsphonehome earliest=%d by data.clientId ] \
| stats count(eval(lastAction="Install" AND lastResult="Ok")) AS installedApplications, count(eval(lastResult!="Ok")) AS failedApplications by data.appName

[splunkd_client]
# The number of HTTP connections that can be handled simultaneously by the Agent Manager.
connection_pool_size = 10
# A time limit for HTTP requests made by the Agent Manager to splunkd.
request_timeout = 60s
# The maximum amount of time an idle connection made by the Agent Manager to splunkd remains idle before closing.
connection_keep_alive = 5m

[settings_sync]
# How long the Agent Manager waits between HTTP calls to retrieve the Deployment Server settings.
polling_interval = 5m