You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

216 lines
8.9 KiB

7 months ago
# Version 9.2.2.20240415
#
# This file sets the default thresholds for Splunk Enterprise's built
# in Health Report.
#
# Feature stanzas contain indicators, and each indicator has two thresholds:
# * Yellow: Indicates something is wrong and should be investigated.
# * Red: Means that the indicator is effectively not working.
#
# There is a health.conf in the $SPLUNK_HOME/etc/system/default/ directory.
# Never change or copy the configuration files in the default directory.
# The files in the default directory must remain intact and in their original
# location.
#
# To set custom configurations, create a new file with the name health.conf in
# the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings
# that you want to customize to the local configuration file.
#
# To learn more about configuration files (including precedence), see the
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
[distributed_health_reporter]
disabled = <boolean>
* Whether or not this Splunk platform instance calls connected search peers to
retrieve health report information.
* A value of 1 disables the distributed health report on this Splunk platform
instance. When disabled, the instance does not call connected search peers
to retrieve health report information.
* Default: 0 (enabled)
[health_reporter]
full_health_log_interval = <number>
* The amount of time, in seconds, that elapses between each PeriodicHealthReporter=INFO log entry.
* Default: 30.
suppress_status_update_ms = <number>
* The minimum amount of time, in milliseconds, that must elapse between an
indicator's health status changes.
* Changes that occur earlier will be suppressed.
* Default: 300.
latency_tracker_log_interval = <number>
* The amount of time, in seconds, that elapses between each latency tracker log entry.
* Default: 30.
aggregate_ingestion_latency_health = [0|1]
* A value of 0 disables the aggregation feature for ingestion latency health reporter.
* Default: 1 (enabled).
ingestion_latency_send_interval = <integer>
* The amount of time, in seconds, that splunkd waits before it sends ingestion
latency data as part of a heartbeat message.
* splunkd determines the actual interval at which it sends this data by factoring
the value for 'ingestion_latency_send_interval' with the value for 'heartbeatFrequency' in
the [tcpout] stanza of the outputs.conf file. This is because splunkd uses the
tcpout heartbeat to send ingestion latency data, and that it won't send ingestion latency
data at a frequency of less than outputs.conf:[tcpout].'heartbeatFrequency' seconds.
* If you set 'ingestion_latency_send_interval' to a value that is higher than
'heartbeatFrequency', splunkd sends that data
only when the number of 'heartbeatFrequency' seconds exceeds the number of
'ingestion_latency_send_interval' seconds at each
'ingestion_latency_send_interval'.
* For example: if 'ingestion_latency_send_interval' has a value of 75 and
'heartbeatFrequency' has a value of 60, splunkd sends the data every
120 seconds, because it takes two periods of 'heartbeatFrequency'
seconds before the 'heartbeatFrequency' is greater than the
'ingestion_latency_send_interval'.
* Conversely, if you set 'ingestion_latency_send_interval' to a value that is lower than
'heartbeatFrequency', splunkd sends that data only when the number of
'ingestiona_latency_send_interval' seconds has elapsed.
* If, for example, 'ingestion_latency_send_interval' has a value of 30 and
'heartbeatFrequency' has a value of 90, splunkd sends the data every
90 seconds because of the value of 'heartbeatFrequency', even though you set a
'ingestion_latency_send_interval' of 30.
* Default: 30
ingestion_latency_send_interval_max = <number>
* The maximum amount of time, in seconds, that elapses between ingestion latency sent as part of heart beat message. Should be in range 0-86400
* Default: 86400.
alert.disabled = [0|1]
* A value of 1 disables the alerting feature for health reporter.
* If the value is set to 1, alerting for all features is disabled.
* Default: 0 (enabled)
alert.actions = <string>
* The alert actions that will run when an alert is fired.
alert.min_duration_sec = <integer>
* The minimum amount of time, in seconds, that the health status color must
persist within threshold_color before triggering an alert.
* Default: 60.
alert.threshold_color = [yellow|red]
* The health status color that will trigger an alert.
* Default: red.
alert.suppress_period = <integer>[m|s|h|d]
* The minimum amount of time, in [minutes|seconds|hours|days], that must
elapse between each fired alert.
* Alerts that occur earlier will be sent as a batch after this time period
elapses.
* Default: 10m
[clustering]
health_report_period = <number>
* The amount of time, in seconds, that elapses between each Clustering
health report run.
* Default: 20.
disabled = <boolean>
* Whether or not the clustering feature health check is disabled.
* A value of 1 disables the clustering feature health check.
* Default: 0 (enabled)
[tree_view:health_subset]
* Defines a tree view for health features.
* Users with 'list_health_subset' capability can view features belonging
to this tree view.
* Users with 'edit_health_subset' capability can edit thresholds for features
belonging to this tree view.
[feature:*]
suppress_status_update_ms = <number>
* The minimum amount of time, in milliseconds, that must elapse between an indicator's
health status changes.
* Changes that occur earlier will be suppressed.
* Default: 300.
display_name = <string>
* A human readable name for the feature.
distributed_disabled = <boolean>
* Whether or not the distributed health report (DHR) tree view includes
information about this feature.
* A value of "true" means that the DHR does not include this feature in
its tree view, which means you won't see it when you open the Health Report
in Splunk Web.
* This value doesn't apply to the ability of the feature to
generate alerts, as appropriate.
* A value of "false" means that the DHR includes this feature in
its tree view.
* Default: 0
snooze_end_time = <number>
* Determines the snooze end time, in seconds since the epoch (Unix time), for this feature.
Specifying a value for this setting enables a snooze period that suppresses color changes
for a feature until the <snooze_end_time>.
* A value of 0 disables snoozing for this feature.
* Default = 0
alert.disabled = <boolean>
* Whether or not alerting is disabled for this feature.
* A value of 1 disables alerting for this feature.
* If alerting is disabled in the [health_reporter] stanza, alerting for this feature is disabled,
regardless of the value set here.
* Otherwise, if the value is set to 1, alerting for all indicators is disabled.
* Default: 0 (enabled)
alert.min_duration_sec = <integer>
* The minimum amount of time, in seconds, that the health status color must
persist within threshold_color before triggering an alert.
alert.threshold_color = [yellow|red]
* The health status color to trigger an alert.
* Default: red.
friendly_description = <string>
* A general description to help the user determine what functionality is monitored
by the heath report indicator.
indicator:<indicator name>:friendly_description = <string>
* A general description of the technical behavior monitored by the indicator.
Use common terminology that a user can search on to find documentation,
details, or troubleshooting guidance.
indicator:<indicator name>:description = <string>
* Description of this indicator to help users to make basic decisions such as:
Turning indicators on or off
Adjusting the threshold of an indicator
Turning on alerting for an indicator
indicator:<indicator name>:<indicator color> = <number>
* There are various indicator names. See your health.conf for the complete list.
* There are two valid colors: yellow and red.
* These settings should not be adjusted lightly. If the numbers are set too
high, you might inadvertently mask serious errors that the Health Report is
trying to bring to your attention.
alert:<indicator name>.disabled = [0|1]
* A value of 1 disables alerting for this indicator.
* Default: 0 (enabled)
alert:<indicator name>.min_duration_sec = <integer>
* The minimum amount of time, in seconds, that the health status color must
persist within threshold_color before triggering an alert.
alert:<indicator name>.threshold_color = [yellow|red]
* The health status color to trigger an alert.
tree_view:health_subset = [enabled | disabled]
* Indicates that this feature belongs to the 'health_subset' tree view.
[alert_action:*]
disabled = [0|1]
* A value of 1 disables this alert action.
* Default: 0 (enabled)
action.<action parameter> = <string>
* There are various parameters for different alert actions.
* Each value defines one parameter for the alert action.
* NOTE: [feature:master_connectivity], [feature:slave_state]
* feature:slave_version] stanzas are now DEPRECATED.

Powered by BW's shoe-string budget.