Splunk .conf2011: Real Time Alerting and Monitoring

Monitoring and Alerting Ledion Bitincka, Search and Alerting Team

Search and Reporting Team @ Splunk for 4+ years - since 3.0 Things I’ve worked on: Key-value extractions Transactions, Eventtyping, Typeahead, Summary Indexing Monitoring and alerting framework Other random @#$% Intro … Ledion Bitincka (aka Splunk Albanian)

Why use Splunk for monitoring and alerting? Basic alerting Advanced alerts and config options Real-time alerting and throttling (new in 4.2) Alert Manager (new in 4.2) Sneak peek into new features … Feel free to interrupt when you don’t follow!!! Agenda

Life Without Splunk Service Desk Application Support Systems Administrator Application Developer Application Developer Database Administrator Log call. The console says everything is green. App monitoring tools don’t show anything either. Call the developer. Stop working on new code to troubleshoot. Need production logs! Stop what they’re doing to identify and gather production logs for developer. Manual investigation establishes not application problem. DBA analyzes the logs which points to corrupted database files. Escalate. Escalate. Escalate. Respond. Escalate. Now what?

Life With Splunk Service Desk Trouble Ticket Search on IP address shows related Web session and User ID “ 192.168.169.100” Last 60 minutes 192.168.169.100 Search at same time reveals database error due to corrupted files Search for failure or error across entire IT Last 2 minutes failure OR error Search on corruption in the db logs shows that an index file has been corrupted Search for corruption in db logs Last 1 minute host=db.domain.com source=*db.log corrupt* Setup monitoring and alerting for db file corruption Set up Monitoring and Alerting Last hour host=db.domain.com source=*db.log corrupt*

Monitor and Alert in Real Time 2. Evaluate alerting condition 1. Get data Scheduled search Real-time search Alert Condition 3. Execute actions RSS Email SNMP Script Yes Noop No

Create simple alert using wizard … Available alert actions … Configure email settings (MTA, link hostname)... Demo… (5-10 min)

Advanced Alerting Options Specify an advanced schedule using cron notation Use custom alert conditions Invoke scripts to perform custom actions Integrate with other tools file trouble ticket Other custom processing restart a faulty service update a firewall rule temporarily disable a user account etc …

Real-time Search Primer Searches forward in time Never completes (unless stopped) Constantly updating result set Only generates results preview All search commands supported

Splunkd/ Scheduler Search Process time Search Start historical search Suppress? Logging Scheduled Search Alerts audit.log search.log Y N Notify splunkd splunkd_access.log audit.log Search done Execute actions Update artifact TTL Suppression update Alert manager N Y Done scheduler.log Condition Results

Real-time Alerts Splunkd/ Scheduler Search Process time RT Search Start RT search Suppress? Logging … .. audit.log search.log Y N Notify splunkd splunkd_access.log Execute actions Update artifact TTL Suppression update Alert manager N Y Condition ResPrev Done scheduler.log Condition ResPrev N Y Results Snapshot

Real-time Alerts Reduce response time Continuously monitor a condition Scheduler ensures real-time search is always running Throttling is almost always necessary Compatible with all alert actions Visible through Alerts Manager

Alert Throttling Natively support alert action throttling Useful in: Alert when database server is down, but don’t alert me about this condition for one hour Available for both standard and real-time alerts

Alerts Manager System-wide view of all triggered alerts Basic alert management features Ability to drill down and view why the alert was triggered Real-time alert results are snapshots in time when triggered

Demo… (5-10 min) Show custom alert conditions, when to use them Demo real-time alerts: Throttling Alert manager

Managing Search Load System wide concurrent searches limited to Total: 4 + 4 x number of cores Limit used for ad-hoc and scheduled searches Scheduler queues over limit searches Scheduler allocation is configurable in limits.conf [scheduler] max_searches_perc = 25 // percentage of system wide concurrent searches to use … Use the Scheduler Activity dashboards Search App >> Status >> Scheduler Activity >> Overview Search allocation

savedsearches.conf Search string, schedule, alert condition, actions etc… alert_actions.conf Alert action options such as: email server, format, subject line, ttl etc… limits.conf Scheduler’s concurrent search limit Action execution related limits scheduler.log Look in $SPLUNK_HOME/etc/system/README/<filename>.conf.spec for more detailed info .conf & .log File Summary

Per result alerting and throttling More alert actions to enable more complex alerting conditions Once five failed login attempts occur enable a monitoring search that alerts on suspicious user activity Sneak Peek Into New Features

How scheduled and real-time alerts work Create simple and advanced real-time alerts Enable alert throttling and check for throttled alerts Check fired alerts using Alerts Manager Change scheduler limit defaults Be an IT hero  Now You Should Know …

August 15, 2011 Questions? Ledion Bitincka, Search and Alerting Team

Splunk .conf2011: Real Time Alerting and Monitoring

Recommended

More Related Content

What's hot (10)

Viewers also liked (20)

Similar to Splunk .conf2011: Real Time Alerting and Monitoring (20)

Recently uploaded (20)

Splunk .conf2011: Real Time Alerting and Monitoring