forked from pivotal-cf/docs-splunk
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathusing.html.md.erb
92 lines (65 loc) · 4.06 KB
/
using.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
---
title: Using Splunk Firehose Nozzle for VMware Tanzu
owner: Partners
---
This topic describes how to use Splunk Firehose Nozzle for VMware Tanzu.
After installing and configuring Splunk Firehose Nozzle for VMware Tanzu, VMware Tanzu operators can navigate to the URL of their existing Splunk Enterprise deployment to immediately search, report,
visualize, and alert on VMware Tanzu Firehose data.
The following assumes basic familiarity on how to run searches, save reports, and create dashboards in Splunk Enterprise.
If you are new to Splunk, start with the [Search Tutorial](https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial) which shows you how to search data and create simple dashboards.
The following is an example Splunk dashboard for operational intelligence.
<%#
For a starter sample dashboard for operational intelligence, you can use community-supported
[Splunk Add-on for Cloud Foundry](#add-on) which includes many pre-built panels and reports to
help you quickly build your own custom dashboards to monitor the health of your foundation and the performance of your apps.
%>
##<a id='search'></a>Search Firehose Data
The Firehose event types forwarded by the Splunk Firehose Nozzle are assigned the following Splunk sourcetypes by default:
Firehose event type | Splunk sourcetype
--- | ---
Error | `cf:error`
HttpStartStop | `cf:httpstartstop`
LogMessage | `cf:logmessage`
ContainerMetric | `cf:containermetric`
CounterEvent | `cf:counterevent`
ValueMetric | `cf:valuemetric`
In addition, logs from the Nozzle are of sourcetype `cf:splunknozzle`.
You can use these Splunk sourcetypes to search and retrieve the relevant events from the index,
use statistical commands to calculate metrics and generate reports, search for specific conditions within a rolling time window,
identify patterns in your data, predict future trends, and so on. Here are some sample search commands that you can use:
* Search for any errors from your deployment:
`sourcetype=cf:error`
* Search for router bad gateways:
`sourcetype=cf:counterevent name="bad_gateways"`
* Search for metrics of remaining cell disk capacity or memory:
`sourcetype=cf:valuemetric name=CapacityRemainingDisk`
`sourcetype=cf:valuemetric name=CapacityRemainingMemory`
You must have access to the index specified to receive these Firehose events.
You might need to explicitly specify the index in your search if that index is not part of the indexes searched by default for your Splunk role.
These searches can be saved as reports and used to power dashboard panels, as shown in the next section.
##<a id='report'></a>Report and Visualize Firehose Data
To monitor your environment operational health, you can build on these same searches to generate reports and visualizations. For example:
* Report available memory per cell:
```
sourcetype=cf:valuemetric name=CapacityRemainingMemory
| eval valueGB=round(case(unit=="MiB", value/1024, unit=="KiB", value/(1024*1024), unit=="GiB", value),2)
| stats min(valueGB) as mem by job_instance
| rename mem as "Available Memory (GB)", job_instance as "Job Instance"
```
* Report available memory per cell over time:
```
sourcetype=cf:valuemetric name=CapacityRemainingMemory
| eval valueGB=round(case(unit=="MiB", value/1024, unit=="KiB", value/(1024*1024), unit=="GiB", value),2)
| timechart min(valueGB) by job_instance
```
* Report number of routes registered with trend indicator:
```
sourcetype=cf:valuemetric name=RoutesTotal
| timechart avg(value) as numRoutes
```
For more information about searching and reporting with Splunk,
see [Splunk Docs](https://docs.splunk.com/Documentation/Splunk)