Is this possible in splunk?
For a while now, I see at a lot of splunk customers having the same troubles they're going through:
I'd like to build a traffic light, that shows the status on the highest level. Connecting the dots, really. When it goes red, you would be able to click down to a level deeper. Let's say it's on department level, and you can see which department has issues. Clicking on that department, you jump to a page showing all applications of that department. One application is red, and clicking on it shows all the servers associated with it. Finally we go to the specific server, and see what's actually wrong. Any thoughts how to work this out with splunk?
At a very elemental level, Splunk can deal with your wish list if the appropriate data is available. The approach would require the mapping of data onto a common framework that can be used to aggregate health and performance indicators. Splunk's Common Information Model allows for the disambiguation of data for common analysis and refactoring. In more technical terms, a search can produce a notable event. Once you have a collection, notable events can be summarized mathematically for comparisons against thresholds. The combination of thresholds and active, aggregated monitoring produces KPIs. If you can map multiple KPIs to reflect an entity, then you can create state. Grouping and mapping all of these onto logical entities creates a high level service view.
There is a project called Splunk IT Service Intelligence which provides you with the next generation service monitoring based on a data-driven approach. You can read about it here. The assets are currently hosted in Splunkbase.
To finally answer your question: No; it is not too complex for Splunk.
We created a composite drilldown dashboard that had traffic lights to show the RAG status of each component.
How we acheived it:
Was trying to do this, the above steps should be able to get our job done.
Could you please explain in detail...I am very new to Splunk and I have a similar requirements.Thanks in advance.
First create searches that will provide the needed information or results to be able to determine the status of the component or service. Next take a look at this App https://splunkbase.splunk.com/app/1923/#/overview and use it together with your search.
Try something simple and easy to start with, like Apache status codes. If there are more than 10 x 404 error codes within one minute set the ample to yellow, else it's green.
cheers, MuS
At a very elemental level, Splunk can deal with your wish list if the appropriate data is available. The approach would require the mapping of data onto a common framework that can be used to aggregate health and performance indicators. Splunk's Common Information Model allows for the disambiguation of data for common analysis and refactoring. In more technical terms, a search can produce a notable event. Once you have a collection, notable events can be summarized mathematically for comparisons against thresholds. The combination of thresholds and active, aggregated monitoring produces KPIs. If you can map multiple KPIs to reflect an entity, then you can create state. Grouping and mapping all of these onto logical entities creates a high level service view.
There is a project called Splunk IT Service Intelligence which provides you with the next generation service monitoring based on a data-driven approach. You can read about it here. The assets are currently hosted in Splunkbase.
To finally answer your question: No; it is not too complex for Splunk.
All of that can be done but some of the navigation and mapping are not built in to simple XML and require the use of the Web Framework.
Looks very promising, Pablo! I'll dive into the docs and see if it fits my needs.
You think ITSI would also support multiple drilldown levels? (I tried to explain this in the last bit, do you understand what I mean?)
this should be an answer
As mentioned, Splunk ITSi will provide this functionality. Stay tuned to .conf this year for more information!
Taking a peek at the documentation, this looks very similar to another app - Enterprise Security with the correlation searches, notables, and so on. Will be interesting to see this presented at .conf