Skip to main content

Splunk

Pack Assets​

Templates​

The Centreon Plugin Pack Splunk brings a host template:

  • App-Monitoring-Splunk-Api-custom

It brings the following service templates:

Service AliasService TemplateService DescriptionDefault
Index-UpdateApp-Monitoring-Splunk-Index-Update-ApiCheck indexes last update timeX
Query-Matches-NumberApp-Monitoring-Splunk-Query-ApiCheck number of results for a query. Query has to start with "search ".Example
Splunkd-HealthApp-Monitoring-Splunk-Splunkd-Health-ApiCheck the overall health of splunkd. The health of splunkd is based on the health of all features reporting it.X

Collected metrics & status​

Metric NameUnit
index#splunk.index.last.updated.secondss

Prerequisites​

To use this plugin, you have to configure a user with privileges allowing him to call these endpoints:

  • /services/data/indexes
  • /services/server/health/splunkd/details
  • /services/search/jobs/*

Setup​

Monitoring Pack​

If the platform uses an online license, you can skip the package installation instruction below as it is not required to have the pack displayed within the Configuration > Plugin Packs > Manager menu. If the platform uses an offline license, install the package on the central server with the command corresponding to the operating system's package manager:

dnf install centreon-pack-applications-monitoring-splunk-api

Whatever the license type (online or offline), install the Splunk Pack through the Configuration > Plugin Packs > Manager menu.

Plugin​

Since Centreon 22.04, you can benefit from the 'Automatic plugin installation' feature. When this feature is enabled, you can skip the installation part below.

You still have to manually install the plugin on the poller(s) when:

  • Automatic plugin installation is turned off
  • You want to run a discovery job from a poller that doesn't monitor any resource of this kind yet

More information in the Installing the plugin section.

Use the commands below according to your operating system's package manager:

dnf install centreon-plugin-Applications-Monitoring-Splunk-Api

Configuration​

Host​

  • Log into Centreon and add a new host through Configuration > Hosts.
  • Fill the Name, Alias & IP Address/DNS fields according to your Splunk server settings.
  • Apply the App-Monitoring-Splunk-Api-custom template to the host.
  • Once the template is applied, fill in the corresponding macros. Some macros are mandatory.
MandatoryMacroDescription
SPLUNKAPIEXTRAOPTIONSAny extra option you may want to add to every command line (eg. a --verbose flag)
SPLUNKAPIHOSTIP Address or FQDN of your Splunk instance
SPLUNKAPIPASSWORDAPI Password
SPLUNKAPIPORTAPI Listening port (Default: '8089')
SPLUNKAPIPROTOCOLAPI Protocol (Default: 'https')
SPLUNKAPIUSERNAMEAPI Username

How to check in the CLI that the configuration is OK and what are the main options for?​

Once the plugin is installed, log into your Centreon poller's CLI using the centreon-engine user account (su - centreon-engine) and test the plugin by running the following command:

/usr/lib/centreon/plugins//centreon_monitoring_splunk_api.pl \
--plugin=apps::monitoring::splunk::plugin \
--mode=index-update \
--hostname='' \
--port='8089' \
--proto='https' \
--api-username='' \
--api-password='' \
--index-name='' \
--warning-index-last-update-seconds='600' \
--critical-index-last-update-seconds='900' \
--verbose \

The expected command output is shown below:

OK: last update: 5 minutes  | 'splunk.index.last.updated.seconds'=300s;;;0; 

All available options for a given mode can be displayed by adding the --help parameter to the command:

/usr/lib/centreon/plugins//centreon_monitoring_splunk_api.pl \
--plugin=apps::monitoring::splunk::plugin \
--mode=index-update \
--help

All available modes can be displayed by adding the --list-mode parameter to the command:

/usr/lib/centreon/plugins//centreon_monitoring_splunk_api.pl \
--plugin=apps::monitoring::splunk::plugin \
--list-mode

Troubleshooting​

Please find the troubleshooting documentation for the API-based plugins in this chapter.