Monitoring Splunk

Clarity on Splunk CM, LM, MC?

munang
Path Finder

Hi
I'm Splunk newbie.

I'm confused about MC, CM, and LM, so I'm asking a question.

1. Is it true that the monitoring console exists to check the indexer's health or CPU usage?

2. If number 1 is correct, I wonder why there is a license usage tab in the monitoring console menu. Does the monitoring console also check the license pool? (Does it also serve as a license master?)

3. Is it correct to say that the indexer cluster master is a role when divided based on Splunk components, and the monitoring console is a built-in function of the cluster master?

Doesn't the monitoring console and the cluster master instance exist separately?

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @munang,

I agree with you that isn't so clear the managing roles division in Splunk, for this reason I voted for a proposal in Splunk Ideas (https://ideas.splunk.com/ideas/EID-I-48) to have a unique console grouping all the managing roles and i's a future prospect.

Anyway, answering to your questions:

1. Is it true that the monitoring console exists to check the indexer's health or CPU usage?

no it's a reductive affirmation: this is a part of its features: it can monitor all the activities of your Splunk on-premise infrastructure, because you can monitor all servers health status, indexing, searches, hardware resources usage, license consuption and many other things.

2. If number 1 is correct, I wonder why there is a license usage tab in the monitoring console menu. Does the monitoring console also check the license pool? (Does it also serve as a license master?)

license monitoring is one of the monitoring targets of this App, and it isn't mandatory that the MC is also the License Master.

3. Is it correct to say that the indexer cluster master is a role when divided based on Splunk components, and the monitoring console is a built-in function of the cluster master?

no it's wrong. as I said, using MC you can monitor all your Splunk on-premise infrastructure and it isn't a feature of the CM: the MC is a Search Head that usually it's better to put in a dedicated server or at least shared with a low load role as Deployer or License master, not CM or Deployment Server, except maybe (!) for little infrastructures!

Doesn't the monitoring console and the cluster master instance exist separately?

Yes they should: as I said, you can put them in the same server only in labs or for little infrastrctures.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @munang,

I agree with you that isn't so clear the managing roles division in Splunk, for this reason I voted for a proposal in Splunk Ideas (https://ideas.splunk.com/ideas/EID-I-48) to have a unique console grouping all the managing roles and i's a future prospect.

Anyway, answering to your questions:

1. Is it true that the monitoring console exists to check the indexer's health or CPU usage?

no it's a reductive affirmation: this is a part of its features: it can monitor all the activities of your Splunk on-premise infrastructure, because you can monitor all servers health status, indexing, searches, hardware resources usage, license consuption and many other things.

2. If number 1 is correct, I wonder why there is a license usage tab in the monitoring console menu. Does the monitoring console also check the license pool? (Does it also serve as a license master?)

license monitoring is one of the monitoring targets of this App, and it isn't mandatory that the MC is also the License Master.

3. Is it correct to say that the indexer cluster master is a role when divided based on Splunk components, and the monitoring console is a built-in function of the cluster master?

no it's wrong. as I said, using MC you can monitor all your Splunk on-premise infrastructure and it isn't a feature of the CM: the MC is a Search Head that usually it's better to put in a dedicated server or at least shared with a low load role as Deployer or License master, not CM or Deployment Server, except maybe (!) for little infrastructures!

Doesn't the monitoring console and the cluster master instance exist separately?

Yes they should: as I said, you can put them in the same server only in labs or for little infrastrctures.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...