I'm trying to use Splunk App for Infrastructure bu I've an issue : some entities are in inactive status although receiving data (confirmed in "Analysis" view) but sometimes go back to active and so on.
As most of the "sometimes inactive status" entities are receiving data every 5m (not production hosts), I wonder if there is a parameter to tune the detection of pseudo inactivity ?
Thanks for your help
You need to increase the "monitoring_calculation_window" for in "collectors.conf" and restart Splunk.
If its Linux entity - increase the "os" stanza
For Windows - increase the "perfmon" stanza
Data is coming every 5 minutes (300 sec), I will keep the value between 450 to 600. This will make sure that SAI searches last 450-600 sec in past for the latest data.
Thanks for your help.
Unfortunately, I set it up to 600s but it didn't work. I still have these inactive entities.
After analysis, it seems that it's not related to delay since last data received since I have inactive status with entities updated less than a minute ago.
Any other ideas ?
Thank you again for your help.
No specific error or failed for splunk_app_infrasctructure or sai
The version installed is 1.4.1 (last version compatible with Splunk 7.1.4) on a SHCluster.