All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Missing "Update monitored list from REST" saved search

nbowman
Path Finder
‎08-14-2014 09:20 AM

I installed Fire Brigade on my search head using the web GUI and pushed out the TA Fire Brigade to my indexers using my deployment server.

But, I don't see "Update monitored list from REST" in my saved searches. I wanted to manually run that so I can get rid of the "The lookup table 'monitored_indexes.csv' is invalid." error.

Did I do something wrong? I'm on 6.0.3.

Tags (1)
0 Karma
Reply

ppablo
Retired
‎10-22-2015 01:54 PM

FYI, Fire Brigade version 2 will no longer be updated (latest version is 2.0.3). The newer versions 2.0.4 and higher will now be available with the original “Fire Brigade” app on Splunkbase which was just updated to support Splunk 6.3. This is noted on the page for Fire Brigade on Splunkbase:
https://splunkbase.splunk.com/app/1581/

If you have any questions, ping the developer of the app @sowings

Cheers!

0 Karma
Reply

azurite257
Explorer
‎09-10-2014 12:33 PM

fire_brigade v2 does not have "Update monitor list from REST" saved search. fire_brigade v1 has this particular saved search. Either case requires some adjustments especially if you have distributed / clustered environment with multiple indexers (peers).

The rest API /services/data/indexes does not allow multiple peer hosts as valid entries. So you would need to run on each indexers, then append the results, dedup it and save it as csv file. Since clustered, there should not be any deviation in indexes present in one versus another peers; however why leave it to chance.

Create a saved search "Update monitor list from REST" in the context of fire brigade app, save it and have it scheduled to run in some cycle (monthly, weekly, or daily ... go nuts).

Below is how I did it in our environment. I have 10 peers, so run rest API against each indexers, then append the results, then due some filter, dedup, then save as csv as expected by fire brigade app.

| rest /services/data/indexes splunk_server=idx01 count=0 |
append [| rest /services/data/indexes splunk_server=idx02 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx03 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx04 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx05 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx06 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx07 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx08 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx09 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx10 count=0 ] |
search disabled=0 title!=_blocksignature title!=_thefishbucket | rename title AS index | fields index | dedup index | outputlookup monitored_indexes.csv

Hope this helps others in upgrading fire brigade (very useful app... but Splunk being Splunk often makes assumptions that is not always true)...

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...