Splunk Distributed Management Console

Editor's Notes

• #4: Stela goes over the agenda
• #13: Obvious questions about what can be co-hosted. What does Splunk look like when it gets big?
• #15: A typical DMC setup page
• #18: The Status and Configuration dashboard is an overview of your search head cluster. It is high-level information.
• #19: The Configuration Replication dashboard provides insight into configurations that a user changes on any SHC member, and how these changes propagate through the cluster.
• #20: The Artifact Replication dashboard contains several panels describing the cluster's "backlog" of search artifacts to replicate.
• #21: Provides visibility into the captain’s role as a coordinator for scheduled searches in the cluster.
• #22: In the Apps status panel, a persistent discrepancy indicates that the deployer has not finished deploying apps to its members.
• #25: 2 indexes, 1 status view The status of several indexer clusters can now be consulted from a single location! No need to connect to several Cluster Master instances
• #26: This view shows service tasks undertaken by the indexer clustering framework to meet data replication targets The marker shows a time when an indexer went down, requiring the surviving ones to start copying data buckets to repair the cluster We clearly see an initial peak of fix-up tasks identified, which slowly decreases over time as the cluster fixes itself In that manner, this view provides visibility into the progress of such unplanned reconfiguration events
• #29: We’re looking at the _audit index on the ‘potato’ indexer cluster. We have a target time retention of 150 days for this index, which seems to be respected based on this ‘median data age’ metric.
• #30: However, looking at the breakdown of data age per indexer, we can see that one indexer (svdev-centos6-006.sv.splunk.com) does not meet the target of 150 days of retention. To investigate further, we click on the table row corresponding to this index, which leads us to the Index Detail – Instance view.
• #31: Looking in detail at the index that fails to meet the target retention for the _audit index, we see that: Data is not being deleted due to hitting the time-based retention policy (1st column) Data is not being deleted due to hitting the index-wide disk usage retention policy (2nd column) Data is not being deleted due to hitting directory-level (home & cold path) retention policies (3rd and 4th columns)
• #32: Looking at how data age evolved over time, we can see a sharp drop-off on 09/08, indicating an incident on that day Furthermore, we see that on 09/08 we lost almost all cold buckets, indicating that something happened to the cold directory of this index on that day Let’s take a closer look at the settings for this index: Is this leveraging volumes?
• #33: Indeed, both paths for this index are referencing volumes homePath (hot + warm buckets) is referencing a volume named “opt” coldPath (cold buckets) is referencing a volume named “cold” We should look at these volumes next, using the Volume Detail – Instance scoped to this indexer
• #34: First let’s look at the ‘opt’ volume We see that this volume is _not_ full, so it’s not pushing data out We also see that the _audit index’s ‘home’ directory is hosted on this volume, with ~3GB worth of data Let’s move on to the ‘cold’ volume
• #35: Looking at the ‘cold’ volume now This volume *is* full! It is pushing data out aggressively! All space in this volume is used by the ‘latex_imports’ index, representing only ~ 1 day’s worth of data Given that a full volume freezes older data first, the surge of recent data from ‘latex_imports’ has caused the volume to push out all data from the ‘_audit’ index Solution: separate indexes with different data density and target retention periods in different volumes
• #38: Forwarder Monitoring – Deployment view can highlight missing forwarders Here we can clearly see two forwarders that have gone missing The first one – ‘atruong-mbpr15’ – hasn’t sent data to the indexers for ~ 3 hours The second one – ‘uf-dmcdemo’ – hasn’t sent data to the indexers for ~ 13 hours Let’s click on one of these missing forwarders for a drill-down to the Forwarder Monitoring – Instance view
• #39: Forwarder Monitoring – Instance view We’re now looking in more detail at the history of forwarder ‘uf-dmcdemo’ connections to the indexers on the previous day We can clearly see a gap of several hours during which this forwarder did not connect to the indexers, which would have resulted in a “missing” status
• #40: Missing forwarders can also be pro-actively detected using a built-in alert!
• #45: We’re headed to the East Coast! 2 inspired Keynotes – General Session and Security Keynote + Super Sessions with Splunk Leadership in Cloud, IT Ops, Security and Business Analytics! 165+ Breakout sessions addressing all areas and levels of Operational Intelligence – IT, Business Analytics, Mobile, Cloud, IoT, Security…and MORE! 30+ hours of invaluable networking time with industry thought leaders, technologists, and other Splunk Ninjas and Champions waiting to share their business wins with you! Join the 50%+ of Fortune 100 companies who attended .conf2015 to get hands on with Splunk. You’ll be surrounded by thousands of other like-minded individuals who are ready to share exciting and cutting edge use cases and best practices. You can also deep dive on all things Splunk products together with your favorite Splunkers. Head back to your company with both practical and inspired new uses for Splunk, ready to unlock the unimaginable power of your data! Arrive in Orlando a Splunk user, leave Orlando a Splunk Ninja! REGISTRATION OPENS IN MARCH 2016 – STAY TUNED FOR NEWS ON OUR BEST REGISTRATION RATES – COMING SOON!