Community:Splunk for Enterprise Management

From Splunk Wiki

Jump to: navigation, search

Introduction

Splunk for Enterprise Management provides a variety of dashboards and interactive searches to improve the Splunk administrative and operational experience. The application enhances the administrator's visibility to indexers, forwarders, and user searches across a distributed topology.

Overview

The enterprise manager application is provided to give insight into Splunk usage and overall Splunk behavior in your environment. The application primarily consists of dashboards and saved searches. The types of EntMan saved searches can be broken into three main categories. First, there are searches providing information on Splunk searches and search performance. Second, there are searches that capture metrics data on the Splunk indexing and indexing performance. Finally, there are searches providing metrics about the Splunk forwarding of your system data. A description of each of the searches is provided in the app package available for download.

Contents

  • 3 Dashboards
    • An Indexer Dashboard
    • A Forwarder Dashboard
    • A Search Dashboard
  • 15 Saved Searches

Installing Splunk for Enterprise Management

To install the Splunk for Enterprise Management application, you can either download it directly from within Splunk's UI or download and install it manually.

To install it via your Splunk UI, go to Splunk -> Admin and select Applications. Then browse Splunkbase - or optionally search for Enterprise Management - and select the Splunk for Enterprise Management app for installation.

To install it manually, download the application from Splunk for Enterprise Management and save it to your local hard drive. The file has a .spl extension, and it can be safely unpacked with any zip or tarball compatible tool. If you need a tool, more information can be found at gzip.org.

Add the following line to $SPLUNK_HOME/etc/log.cfg on each system that you issue Splunk searches from: category.SearchPerformance=DEBUG. The action allows search metrics to be captured for Enterprise Manager and for the Enterprise Manager application to report on the searches. For this setting to take effect, each Splunk instance where this option is configured must be restarted.

Files included:

  • README
  • inputs.conf - To access data for some of the 'search' searches
  • prefs.conf - To create the dashboards
  • savedsearches.conf - All of the savedsearches
Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk