Splunk® Enterprise

Monitoring Splunk Enterprise

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Use Splunk Assist

Read this topic to understand how the Splunk Assist interface works, and how to navigate through the Splunk Assist tabs, menus, and windows.

Overview of the Splunk Assist page

90 UseAssist.png

When the Splunk Assist page loads, it presents three distinct areas:

  • Indicator tabs. The tabs along the top of the Splunk Assist window represent categories of indicators, which are specific pieces of information that Splunk Assist uses to measure the performance and compliance of your Splunk Enterprise deployment with Splunk best practice. Each indicator lets you view additional information about it. An indicator tab is similar to a tab of a manila folder - you can use the tab to open and access the contents of the folder. Clicking the indicator tab loads information about the indicators it references in the other parts of the Splunk Assist page. Each indicator tab displays a graph that shows the number of instances in your deployment, and how many of those instances are in one of three states of compliance:
    • Conform: Where the node conforms to Splunk best practice.
    • Warning: Where one or more indicators on the instance indicate potential problems with compliance which you should monitor more closely.
    • Critical: Where an instance is out of compliance and needs your attention to rectify it.
  • Overview pane. The Overview pane shows detailed information about the nodes in your Splunk Enterprise deployment that report information on the indicator that is specified in the Indicator tab. The icons in this pane indicate the state of the instances in your deployment, whether they conform to best practice, are in a warning state, or they do not conform to best practice. In this pane, Splunk Enterprise instances are grouped by three tiers:
    • Search tier: Instances that search data appear in this tier.
    • Indexing tier: Instances that store incoming data appear in this tier.
    • Collection tier: Instances that retrieve and send data to indexers, mainly forwarders, appear in this tier.
  • Indicator summary pane. This third pane lists each available Splunk Assist indicator, with a summary of the information it collects and why. Each indicator summary has the following columns:
    • a Category which groups the indicator by type
    • a Scope that shows the types of Splunk Enterprise instances to which the indicator applies
    • Results, which display the number of instances to which the indicator applies and the number of machines that are either in compliance, in a warning state, or out of compliance

General Assist tasks

The Splunk Assist page lets you view all the insights it generates on the main page. You can filter instances by indicator, tier type, and severity, and you can also view details for a certain instance or indicator.

Show all instances for a certain indicator

  1. Click an indicator tab.
  2. In the All indicators pane, click the caret > next to an indicator. The pane updates to include a list of all machines to which the indicator applies.

Filter instances by tier type

  1. Click an indicator tab.
  2. In the Overview pane, click one of the icons that represents the tier of instances that you want to see, and the state of instances within that tier.

The Overview pane can have up to three icons per tier, depending on the states of compliance for individual instances within the tier. For example, if at least one instance in the Collection tier is in a critical state and another is in a warning state, two icons that represent the "Critical" and "Warning" states for those instances appear in that tier.

Filter instances by indicator

  1. Click an indicator tab.
  2. In the All indicators tab, in the Filter indicators text box, type in text that represents the indicators that you want to see. The "All indicators" pane updates to show the list of available indicators that match the text you type in.

Explore details of an indicator

To see the details of an indicator, click on the > button next to the indicator in the indicator list. The indicator displays a summary of what the indicator measures, and how you can remedy the instances in your deployment that are out of compliance with the indicator.

Get extended information on an indicator through Splunk Assist helper packages

Some indicators let you retrieve extended information on them. These indicators include a button within the indicator description that you can select to get the detailed information. Splunk Assist loads helper packages that provide this information when you select the button.

Splunk Assist ships with several helper packages:

  • App Assist provides detailed information on the apps and add-ons in your Splunk Enterprise deployment. Within an indicator, you see the Open App Assist button to load this helper package. See Use App Assist.
  • Certificate Assist provides detailed information on certificate management in your Splunk Enterprise deployment. Within an indicator, you see the Open Certificate Assist button to load this helper package. See Use Certificate Assist.
  • Config Assist provides detailed information on configurations in your Splunk Enterprise deployment, including security configuration. Within an indicator, you see the Open Config Assist button to load this helper package. See Use Config Assist.

Sources from where Splunk Assist collects indicators

Splunk Assist collects the indicators that it displays from several sources. The following table lists the indicators and the tiers from which Splunk Assist collects the indicators. You can refer to this table to understand how Splunk Assist gets its data, or use it for troubleshooting purposes.

Indicator type Search tier Indexing tier Forwarding tier
Availability
(requires TLS
certificates)
-- X X
Security X -- --
App updates X -- --

Troubleshoot problems with Splunk Assist

If you encounter problems where Splunk Assist displays an error or doesn't load properly, reference the following table for common problems and their solutions.

Problem Solution
Splunk Assist displays "Error loading Assist" Splunk Assist runs a test to see if the instance on where you activated it is suitable to run the service. If that test fails, this page can appear. You can run this test by using the following Splunk search. The sud and sh results in the search must both return true for Splunk Assist to accept the instance as suitable.

index="_internal" splunk_server="local" sourcetype="splunk_assist_internal_log" sh=* sud=*

Confirm that you are attempting to activate Splunk Assist on a supported Splunk Enterprise instance.

Splunk Assist downloads remote assets as part of setup and activation. If it couldn't retrieve remote assets for the service, this page can appear. You can run the following Splunk search to determine if Splunk Assist successfully retrieved the remote assets. For best results, set the scope of the search to around the time when you updated the instance to version 9.0.0 or higher.

index="_internal" splunk_server="local" sourcetype="splunk_assist_internal_log" "Updating local node config"

Confirm that you have network access to Splunk cloud services when you attempt to activate Splunk Assist.

You see Assist Supervisor cannot start, missing required secrets or Secret load failed in search results for the splunk_assist_internal_log On suitable Splunk Enterprise nodes where you haven't turned on Splunk Assist, this is expected behavior.
You see search heads appear in the Collection tier in the Overview page If you configure your search heads to forward data, Splunk Assist sees this and might add the search head to the Collection tier as a "forwarder". If you have configured TLS certificates on the search heads, they might appear in the Collection tier on the Certificate Assist page as forwarders also.
You don't see all search heads in the Overview page Splunk Assist collects indicators from search head captains only, because all configuration information in a cluster is the same.


If you have configured your search head clusters with more than one preferred search head cluster captain, you might see multiple instances of that search head cluster appear in Splunk Assist because of the multiple captaincies. If the search head cluster elects a new captain, you might see multiple instances of the search head cluster until the indicator cache on the first captain expires, about once a day.

Last modified on 03 November, 2022
PREVIOUS
Turn on Splunk Assist
  NEXT
Use App Assist

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters