does monitoring console log to an index?

ilhwan · ‎10-02-2024

I've been asked to generate an uptime report for Splunk. I don't see anything obvious in the monitoring console, so I thought I'd try to see if I could build a simple dashboard. Does the monitoring console log things like

PickleRick · ‎10-04-2024

Monitoring console doesn't "log" anything. It's a collection of dashboards processing data from Splunk's internal indexes and REST calls to your Splunk components (and keeps a bit of state data in internal storage - like a list of forwarders). - this is the part already covered by others.

But the other important point in this topic is that rarely using a tool to monitor itself is a good idea. That's why you have external monitoring solutions and generally you'd rather want an external tool checking - for example - web interface availability or server's performance metrics periodically.

If you want to get something from Splunk's internal logs... well, you can find _something_ but that won't actually tell you if the service was available, healthy and was perfofming well enough.

isoutamo · ‎10-02-2024

Hi

MC is using internal indexes and rest api mainly. Then there are some lookups where it stored some “cache” information. It could store some alert results into index as any other alerts too, but not anything else as out of the box.
You could use MC’s SPL queries as base for your own dashboards etc. but those also use same internal indexes as MC itself.

r. Ismo

ilhwan · ‎10-03-2024

Is it possible to see the SPL queries that MC uses for those dashboards?

isoutamo · ‎10-03-2024

You can do just like almost any other dashboard, just click magnifying glass on right bottom corner of panel. It open a new window with that SPL query.

ilhwan · ‎10-07-2024

Thanks for the suggestion, but I don't see a magnifying glass on any of the panels on the overview screen like on normal dashboard panels. I'm logged in as admin.

inventsekar · ‎10-07-2024

Hi @ilhwan

> but I don't see a magnifying glass on any of the panels

Pls mouse over on the panel to the lower right corner of the panel. then you can see the magnifying glass.

For example, on DMC, Indexing--->Indexes and Volumes ---> Indexes and Volumes: Instance got this panel.

when i mouse over, then only the magnifying glass appears.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

inventsekar · ‎10-02-2024

Hi @ilhwan

>> an uptime report for Splunk

maybe more details needed pls. by linux uptime, you will have how many users logged in, cpu usage, system startup time, last shutdown time, load average, etc

are you looking a similar report for Splunk or something else, more details pls.

for the question about monitoring console, the monitoring console got lots of nice and useful dashboards, like longer running searches, high CPU intensive searches, which user is running more Splunk, and lot more.

All you need to do is,

1) get a list of things of what you are looking for.

2) check if DMC got some dashboard panels with the details you are looking for.

3) make your own dashboard with panels from existing DMC panels or your own SPL.

hope this gave some ideas, thanks.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

ilhwan · ‎10-03-2024

I'm looking for application availability and not server uptime.

does monitoring console log to an index?

administration

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?