All Apps and Add-ons

Missing "Update monitored list from REST" saved search

Path Finder

I installed Fire Brigade on my search head using the web GUI and pushed out the TA Fire Brigade to my indexers using my deployment server.

But, I don't see "Update monitored list from REST" in my saved searches. I wanted to manually run that so I can get rid of the "The lookup table 'monitored_indexes.csv' is invalid." error.

Did I do something wrong? I'm on 6.0.3.

Tags (1)
0 Karma

Community Manager
Community Manager

FYI, Fire Brigade version 2 will no longer be updated (latest version is 2.0.3). The newer versions 2.0.4 and higher will now be available with the original “Fire Brigade” app on Splunkbase which was just updated to support Splunk 6.3. This is noted on the page for Fire Brigade on Splunkbase:
https://splunkbase.splunk.com/app/1581/

If you have any questions, ping the developer of the app @sowings

Cheers!

0 Karma

Explorer

fire_brigade v2 does not have "Update monitor list from REST" saved search. fire_brigade v1 has this particular saved search. Either case requires some adjustments especially if you have distributed / clustered environment with multiple indexers (peers).

The rest API /services/data/indexes does not allow multiple peer hosts as valid entries. So you would need to run on each indexers, then append the results, dedup it and save it as csv file. Since clustered, there should not be any deviation in indexes present in one versus another peers; however why leave it to chance.

Create a saved search "Update monitor list from REST" in the context of fire brigade app, save it and have it scheduled to run in some cycle (monthly, weekly, or daily ... go nuts).

Below is how I did it in our environment. I have 10 peers, so run rest API against each indexers, then append the results, then due some filter, dedup, then save as csv as expected by fire brigade app.

| rest /services/data/indexes splunk_server=idx01 count=0 |
append [| rest /services/data/indexes splunk_server=idx02 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx03 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx04 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx05 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx06 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx07 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx08 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx09 count=0 ] |
append [| rest /services/data/indexes splunk_server=idx10 count=0 ] |
search disabled=0 title!=_blocksignature title!=_thefishbucket | rename title AS index | fields index | dedup index | outputlookup monitored_indexes.csv

Hope this helps others in upgrading fire brigade (very useful app... but Splunk being Splunk often makes assumptions that is not always true)...