type: splunkenterprise status: class: receiver stability: alpha: [metrics] distributions: [contrib] codeowners: active: [shalper2, MovieStoreGuy, greatestusername] attributes: splunk.host: description: The name of the splunk host type: string splunk.splunkd.build: description: The build number for this Splunk instance version type: string splunk.splunkd.version: description: The splunkd version number type: string splunk.index.name: description: The name of the index reporting a specific KPI type: string splunk.indexer.status: description: The status message reported for a specific object type: string splunk.indexer.searchable: description: The searchability status reported for a specific object type: string splunk.bucket.dir: description: The bucket super-directory (home, cold, thawed) for each index type: string splunk.queue.name: description: The name of the queue reporting a specific KPI type: string splunk.kvstore.status.value: description: The string value of the status returned when reporting on KV store using the introspection endpoint type: string splunk.kvstore.external: description: Value denoting if the KV store is using an external service type: string splunk.kvstore.storage.engine: description: The backend storage used by the KV store type: string splunk.searchartifacts.cache.type: description: The search artifacts cache type type: string splunk.feature: description: The Feature name from the Splunk Health Introspection Endpoint type: string splunk.feature.health: description: The Health (in color form) of a Splunk Feature from the Splunk Health Introspection Endpoint type: string metrics: splunk.license.index.usage: enabled: false description: Gauge tracking the indexed license usage per index unit: By gauge: value_type: int attributes: [splunk.index.name, splunk.splunkd.build, splunk.splunkd.version] splunk.scheduler.avg.execution.latency: enabled: false description: Gauge tracking the average execution latency of scheduled searches unit: '{ms}' gauge: value_type: double attributes: [splunk.host, splunk.splunkd.build, splunk.splunkd.version] splunk.scheduler.completion.ratio: enabled: false description: Gauge tracking the ratio of completed to skipped scheduled searches unit: '{%}' gauge: value_type: double attributes: [splunk.host, splunk.splunkd.build, splunk.splunkd.version] splunk.indexer.avg.rate: enabled: false description: Gauge tracking the average rate of indexed data. **Note:** Search is best run against a Cluster Manager. unit: KBy gauge: value_type: double attributes: [splunk.host, splunk.splunkd.build, splunk.splunkd.version] splunk.pipeline.set.count: enabled: false description: Gauge tracking the number of pipeline sets per indexer. **Note:** Search is best run against a Cluster Manager. unit: KBy gauge: value_type: int attributes: [splunk.host, splunk.splunkd.build, splunk.splunkd.version] splunk.parse.queue.ratio: enabled: false description: Gauge tracking the average indexer parser queue ration (%). *Note:** Search is best run against a Cluster Manager. unit: '{%}' gauge: value_type: double attributes: [splunk.host, splunk.splunkd.build, splunk.splunkd.version] splunk.aggregation.queue.ratio: enabled: false description: Gauge tracking the average indexer aggregation queue ration (%). *Note:** Search is best run against a Cluster Manager. unit: '{%}' gauge: value_type: double attributes: [splunk.host, splunk.splunkd.build, splunk.splunkd.version] splunk.typing.queue.ratio: enabled: false description: Gauge tracking the average indexer typing queue ration (%). *Note:** Search is best run against a Cluster Manager. unit: '{%}' gauge: value_type: double attributes: [splunk.host, splunk.splunkd.build, splunk.splunkd.version] splunk.indexer.queue.ratio: enabled: false description: Gauge tracking the average indexer index queue ration (%). *Note:** Search is best run against a Cluster Manager. unit: '{%}' gauge: value_type: double attributes: [splunk.host, splunk.splunkd.build, splunk.splunkd.version] splunk.scheduler.avg.run.time: enabled: false description: Gauge tracking the average runtime of scheduled searches unit: '{ms}' gauge: value_type: double attributes: [splunk.host, splunk.splunkd.build, splunk.splunkd.version] splunk.indexer.raw.write.time: enabled: false description: Gauge tracking the number of raw write seconds per instance unit: '{s}' gauge: value_type: double attributes: [splunk.host, splunk.splunkd.build, splunk.splunkd.version] splunk.indexer.cpu.time: enabled: false description: Gauge tracking the number of indexing process cpu seconds per instance unit: '{s}' gauge: value_type: double attributes: [splunk.host, splunk.splunkd.build, splunk.splunkd.version] splunk.io.avg.iops: enabled: false description: Gauge tracking the average IOPs used per instance unit: '{iops}' gauge: value_type: int attributes: [splunk.host, splunk.splunkd.build, splunk.splunkd.version] splunk.buckets.searchable.status: enabled: false description: Gauge tracking the number of buckets and their searchable status. *Note:** Search is best run against a Cluster Manager. unit: '{count}' gauge: value_type: int attributes: [splunk.host, splunk.indexer.searchable, splunk.splunkd.build, splunk.splunkd.version] splunk.indexes.bucket.count: enabled: false description: Gauge tracking the indexes and their bucket counts. *Note:** Search is best run against a Cluster Manager. unit: '{count}' gauge: value_type: int attributes: [splunk.index.name, splunk.splunkd.build, splunk.splunkd.version] splunk.indexes.size: enabled: false description: Gauge tracking the indexes and their total size (gb). *Note:** Search is best run against a Cluster Manager. unit: Gb gauge: value_type: double attributes: [splunk.index.name, splunk.splunkd.build, splunk.splunkd.version] splunk.indexes.avg.size: enabled: false description: Gauge tracking the indexes and their average size (gb). *Note:** Search is best run against a Cluster Manager. unit: Gb gauge: value_type: double attributes: [splunk.index.name, splunk.splunkd.build, splunk.splunkd.version] splunk.indexes.avg.usage: enabled: false description: Gauge tracking the indexes and their average usage (%). *Note:** Search is best run against a Cluster Manager. unit: '{%}' gauge: value_type: double attributes: [splunk.index.name, splunk.splunkd.build, splunk.splunkd.version] splunk.indexes.median.data.age: enabled: false description: Gauge tracking the indexes and their median data age (days). *Note:** Search is best run against a Cluster Manager. unit: '{days}' gauge: value_type: int attributes: [splunk.index.name, splunk.splunkd.build, splunk.splunkd.version] # 'services/server/introspection/indexer' splunk.indexer.throughput: enabled: false description: Gauge tracking average bytes per second throughput of indexer. *Note:** Must be pointed at specific indexer `endpoint` and gathers metrics from only that indexer. unit: By/s gauge: value_type: double # attribute `status` can be one of the following `normal`, `throttled`, `stopped` attributes: [splunk.indexer.status, splunk.splunkd.build, splunk.splunkd.version] # 'services/data/indexes-extended' splunk.data.indexes.extended.total.size: enabled: false description: Size in bytes on disk of this index *Note:** Must be pointed at specific indexer `endpoint` and gathers metrics from only that indexer. unit: By gauge: value_type: int attributes: [splunk.index.name, splunk.splunkd.build, splunk.splunkd.version] splunk.data.indexes.extended.event.count: enabled: false description: Count of events for index, excluding frozen events. Approximately equal to the event_count sum of all buckets. *Note:** Must be pointed at specific indexer `endpoint` and gathers metrics from only that indexer. unit: '{events}' gauge: value_type: int attributes: [splunk.index.name, splunk.splunkd.build, splunk.splunkd.version] splunk.data.indexes.extended.bucket.count: enabled: false description: Count of buckets per index unit: '{buckets}' gauge: value_type: int attributes: [splunk.index.name, splunk.splunkd.build, splunk.splunkd.version] splunk.data.indexes.extended.raw.size: enabled: false description: Size in bytes on disk of the <bucket>/rawdata/ directories of all buckets in this index, excluding frozen *Note:** Must be pointed at specific indexer `endpoint` and gathers metrics from only that indexer. unit: By gauge: value_type: int attributes: [splunk.index.name, splunk.splunkd.build, splunk.splunkd.version] ## Broken down `bucket_dirs` splunk.data.indexes.extended.bucket.event.count: enabled: false description: Count of events in this bucket super-directory. *Note:** Must be pointed at specific indexer `endpoint`. unit: '{events}' gauge: value_type: int attributes: [splunk.index.name, splunk.bucket.dir, splunk.splunkd.build, splunk.splunkd.version] splunk.data.indexes.extended.bucket.hot.count: enabled: false description: (If size > 0) Number of hot buckets. *Note:** Must be pointed at specific indexer `endpoint`. unit: '{buckets}' gauge: value_type: int attributes: [splunk.index.name, splunk.bucket.dir, splunk.splunkd.build, splunk.splunkd.version] splunk.data.indexes.extended.bucket.warm.count: enabled: false description: (If size > 0) Number of warm buckets. *Note:** Must be pointed at specific indexer `endpoint` and gathers metrics from only that indexer. unit: '{buckets}' gauge: value_type: int attributes: [splunk.index.name, splunk.bucket.dir, splunk.splunkd.build, splunk.splunkd.version] #'services/server/introspection/queues' splunk.server.introspection.queues.current: enabled: false description: Gauge tracking current length of queue. *Note:** Must be pointed at specific indexer `endpoint` and gathers metrics from only that indexer. unit: '{queues}' gauge: value_type: int attributes: [splunk.queue.name, splunk.splunkd.build, splunk.splunkd.version] splunk.server.introspection.queues.current.bytes: enabled: false description: Gauge tracking current bytes waiting in queue. *Note:** Must be pointed at specific indexer `endpoint` and gathers metrics from only that indexer. unit: By gauge: value_type: int attributes: [splunk.queue.name, splunk.splunkd.build, splunk.splunkd.version] #'services/kvstore/status' splunk.kvstore.status: enabled: false description: This is the overall status of the kvstore for the given deployment. unit: '{status}' gauge: value_type: int attributes: [splunk.kvstore.storage.engine, splunk.kvstore.external, splunk.kvstore.status.value, splunk.splunkd.build, splunk.splunkd.version] splunk.kvstore.replication.status: enabled: false description: Replication status of the KV store. unit: '{status}' gauge: value_type: int attributes: [splunk.kvstore.status.value, splunk.splunkd.build, splunk.splunkd.version] splunk.kvstore.backup.status: enabled: false description: Backup and restore status of the KV store. unit: '{status}' gauge: value_type: int attributes: [splunk.kvstore.status.value, splunk.splunkd.build, splunk.splunkd.version] #'services/server/status/dispatch-artifacts' splunk.server.searchartifacts.adhoc: enabled: false description: Gauge tracking number of ad hoc search artifacts currently on disk. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+. unit: "{search_artifacts}" gauge: monotonic: false aggregation_temporality: cumulative value_type: int attributes: [splunk.host, splunk.splunkd.build, splunk.splunkd.version] splunk.server.searchartifacts.scheduled: enabled: false description: Gauge tracking number of scheduled search artifacts currently on disk. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+. unit: "{search_artifacts}" gauge: monotonic: false aggregation_temporality: cumulative value_type: int attributes: [splunk.host, splunk.splunkd.build, splunk.splunkd.version] splunk.server.searchartifacts.completed: enabled: false description: Gauge tracking number of artifacts currently on disk that belong to finished searches. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+. unit: "{search_artifacts}" gauge: monotonic: false aggregation_temporality: cumulative value_type: int attributes: [splunk.host, splunk.splunkd.build, splunk.splunkd.version] splunk.server.searchartifacts.incomplete: enabled: false description: Gauge tracking number of artifacts currently on disk that belong to unfinished/running searches. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+. unit: "{search_artifacts}" gauge: monotonic: false aggregation_temporality: cumulative value_type: int attributes: [splunk.host, splunk.splunkd.build, splunk.splunkd.version] splunk.server.searchartifacts.invalid: enabled: false description: Gauge tracking number of artifacts currently on disk that are not in a valid state, such as missing info.csv file, etc. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+. unit: "{search_artifacts}" gauge: monotonic: false aggregation_temporality: cumulative value_type: int attributes: [splunk.host, splunk.splunkd.build, splunk.splunkd.version] splunk.server.searchartifacts.savedsearches: enabled: false description: Gauge tracking, for the `splunk.server.searchartifacts.scheduled` number of scheduled search artifacts, how many different saved-searches they belong to. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+. unit: "{search_artifacts}" gauge: monotonic: false aggregation_temporality: cumulative value_type: int attributes: [splunk.host, splunk.splunkd.build, splunk.splunkd.version] splunk.server.searchartifacts.job.cache.size: enabled: false description: Gauge tracking, in megabytes, memory used to cache job status and job info of all search artifacts, available in builds 9.1.2312.207+ and 9.3.x+. unit: "{mb}" gauge: monotonic: false aggregation_temporality: cumulative value_type: int attributes: [splunk.host, splunk.searchartifacts.cache.type, splunk.splunkd.build, splunk.splunkd.version] splunk.server.searchartifacts.job.cache.count: enabled: false description: Gauge tracking number search artifacts metadata stored in memory, available in builds 9.1.2312.207+ and 9.3.x+. unit: "{search_artifacts}" gauge: monotonic: false aggregation_temporality: cumulative value_type: int attributes: [splunk.host, splunk.splunkd.build, splunk.splunkd.version] #`services/server/health/splunkd/details` splunk.health: enabled: true description: The status ('red', 'yellow', or 'green') of the Splunk server. Health of 'red' produces a 0 while all other colors produce a 1. unit: "{status}" gauge: value_type: int attributes: [splunk.feature, splunk.feature.health, splunk.splunkd.build, splunk.splunkd.version] tests: config: