Splunk Enterprise

Where do I configure the health.conf so that I can disable the IOWaits alert?

BlueSocket
Communicator

Dear All,

I have a Search Head, Deployment Server, Monitoring Console, a Cluster Manager, an Indexer Cluster and two unclustered Indexers.

On the Monitoring Console, I get alerts about the IOWaits being high on the two unclustered indexers and this has been happening only since we upgraded to 8.2.5.

There is no evidence of any issues, other than this alert in SplunkWeb and I want to disable it. I am using the following KB article:

https://docs.splunk.com/Documentation/Splunk/8.2.5/Admin/Healthconf

On the Monitoring Console server, I have put the following into the etc\apps\search\local\health.conf file:

[feature:iowait]
alert:sum_top3_cpu_percs__max_last_3m.disabled = 1

However, I am still getting the appearing in SplunkWeb on the Monitoring Console server.

Why is this? Am I configuring the health.conf in the wrong server or the wrong folder, or what? When I run a cmd btool health list, I see the configuration there, but Splunk is not doing as it is being told! If I am doing the wrong thing, even, can someone point me to some documentation that explains what I should be doing?

Thanks in advance! 

Labels (2)
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Did you restart the MC server after changing the config file?

Have you tried making the same health.conf change on the indexers?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

BlueSocket
Communicator

Yes, I restarted the MC several times after the changes to the configurations.

 

No, I have not edited the health.conf on the Indexers. They are quite difficult to restart at the moment and I was hoping that someone would have a KB or document that could help (or know definitively) before I went there.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...