Use Splunk Assist
Read this topic to understand how the Splunk Assist interface works, and how to navigate through the Splunk Assist tabs, menus, and windows.
Overview of the Splunk Assist page
When the Splunk Assist page loads, it presents three distinct areas:
- Indicator tabs. The tabs along the top of the Splunk Assist window represent categories of indicators, which are specific pieces of information that Splunk Assist uses to measure the performance and compliance of your Splunk Enterprise deployment with Splunk best practice. Each indicator lets you view additional information about it. An indicator tab is similar to a tab of a manila folder - you can use the tab to open and access the contents of the folder. Clicking the indicator tab loads information about the indicators it references in the other parts of the Splunk Assist page. Each indicator tab displays a graph that shows the number of instances in your deployment, and how many of those instances are in one of three states of compliance:
- Conform: Where the node conforms to Splunk best practice.
- Warning: Where one or more indicators on the instance indicate potential problems with compliance which you should monitor more closely.
- Critical: Where an instance is out of compliance and needs your attention to rectify it.
- Overview pane. The Overview pane shows detailed information about the nodes in your Splunk Enterprise deployment that report information on the indicator that is specified in the Indicator tab. The icons in this pane indicate the state of the instances in your deployment, whether they conform to best practice, are in a warning state, or they do not conform to best practice. In this pane, Splunk Enterprise instances are grouped by three tiers:
- Search tier: Instances that search data appear in this tier.
- Indexing tier: Instances that store incoming data appear in this tier.
- Collection tier: Instances that retrieve and send data to indexers, mainly forwarders, appear in this tier.
- Indicator summary pane. This third pane lists each available Splunk Assist indicator, with a summary of the information it collects and why. Each indicator summary has the following columns:
- a Category which groups the indicator by type
- a Scope that shows the types of Splunk Enterprise instances to which the indicator applies
- Results, which display the number of instances to which the indicator applies and the number of machines that are either in compliance, in a warning state, or out of compliance
General Assist tasks
The Splunk Assist page lets you view all the insights it generates on the main page. You can filter instances by indicator, tier type, and severity, and you can also view details for a certain instance or indicator.
Show all instances for a certain indicator
- Click an indicator tab.
- In the All indicators pane, click the caret > next to an indicator. The pane updates to include a list of all machines to which the indicator applies.
Filter instances by tier type
- Click an indicator tab.
- In the Overview pane, click one of the icons that represents the tier of instances that you want to see, and the state of instances within that tier.
The Overview pane can have up to three icons per tier, depending on the states of compliance for individual instances within the tier. For example, if at least one instance in the Collection tier is in a critical state and another is in a warning state, two icons that represent the "Critical" and "Warning" states for those instances appear in that tier.
Filter instances by indicator
- Click an indicator tab.
- In the All indicators tab, in the Filter indicators text box, type in text that represents the indicators that you want to see. The "All indicators" pane updates to show the list of available indicators that match the text you type in.
Explore details of an indicator
To see the details of an indicator, click on the > button next to the indicator in the indicator list. The indicator displays a summary of what the indicator measures, and how you can remedy the instances in your deployment that are out of compliance with the indicator.
Get extended information on an indicator through Splunk Assist helper packages
Some indicators let you retrieve extended information on them. These indicators include a button within the indicator description that you can select to get the detailed information. Splunk Assist loads helper packages that provide this information when you select the button.
Splunk Assist ships with several helper packages:
- App Assist provides detailed information on the apps and add-ons in your Splunk Enterprise deployment. Within an indicator, you see the Open App Assist button to load this helper package. See Use App Assist.
- Certificate Assist provides detailed information on certificate management in your Splunk Enterprise deployment. Within an indicator, you see the Open Certificate Assist button to load this helper package. See Use Certificate Assist.
- Config Assist provides detailed information on configurations in your Splunk Enterprise deployment, including security configuration. Within an indicator, you see the Open Config Assist button to load this helper package. See Use Config Assist.
Sources from where Splunk Assist collects indicators
Splunk Assist collects the indicators that it displays from several sources. The following table lists the indicators and the tiers from which Splunk Assist collects the indicators. You can refer to this table to understand how Splunk Assist gets its data, or use it for troubleshooting purposes.
|Indicator type||Search tier||Indexing tier||Forwarding tier|
Troubleshoot problems with Splunk Assist
If you encounter problems where Splunk Assist displays an error or doesn't load properly, reference the following table for common problems and their solutions.
|Splunk Assist displays "Error loading Assist"||Splunk Assist runs a test to see if the instance on where you activated it is suitable to run the service. If that test fails, this page can appear. You can run this test by using the following Splunk search. The |
Confirm that you are attempting to activate Splunk Assist on a supported Splunk Enterprise instance.
|Splunk Assist downloads remote assets as part of setup and activation. If it couldn't retrieve remote assets for the service, this page can appear. You can run the following Splunk search to determine if Splunk Assist successfully retrieved the remote assets. For best results, set the scope of the search to around the time when you updated the instance to version 9.0.0 or higher.
Confirm that you have network access to Splunk cloud services when you attempt to activate Splunk Assist.
||On suitable Splunk Enterprise nodes where you haven't turned on Splunk Assist, this is expected behavior.|
|You see search heads appear in the Collection tier in the Overview page||If you configure your search heads to forward data, Splunk Assist sees this and might add the search head to the Collection tier as a "forwarder". If you have configured TLS certificates on the search heads, they might appear in the Collection tier on the Certificate Assist page as forwarders also.|
|You don't see all search heads in the Overview page||Splunk Assist collects indicators from search head captains only, because all configuration information in a cluster is the same.
Turn on Splunk Assist
Use App Assist
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2