This knowledge article provides steps to allow Splunk to receive and correctly interpret File Director syslog events. It also contains sample reports and dashboards
Ensure inputs.conf, props.conf and transforms.conf have been populated as per the attached files. Note, the contents of these files may need to be adjusted to suit your environment. The examples provided assume a Splunk deployment dedicated to File Director.
The files are found at the following path: /opt/splunk/etc/system/local
Note, these files have been updated on 25th August 2017 to support new features in future versions of File Director (For details on the . The UTC Timezone has also been configured in props.conf to match the output from the appliance allow searching in local time.
Once these have been imported, the operational dashboard prerequisite reports can be configured.
Configure Data Models:
Upload the following attached .json files to create the Data models:
See Attachment : MB_Remaining.json (below)
See Attachment : Sync_state_of_users.json (below)
See Attachment : Total_Megabytes.json (below)
Configure Custom Searches, Reports and Alerts:
Click 'New' and add the following items:
Name: MB Remaining for Users
| pivot MB_Remaining SearchObject max(megabytes_remaining) AS "Max of megabytes_remaining" SPLITROW username AS username SORT 100 username ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1
Name: Sync State of Users
| pivot Sync_state_of_users SearchObject max(synced_percentage) AS "Max of synced_percentage" SPLITROW username AS username FILTER synced_percentage = * SORT 100 username ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1
Name: Total Megabytes
| pivot Total_Megabytes SearchObject max(total_megabytes) AS "Total Megabytes" SPLITROW username AS username SORT 100 username ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1
Optional steps to create an experimental dashboard for demo purposes:
Create a new dashboard:
Click 'edit / edit source' once you have created the new Dashboard and paste the following XML:
See Attachment : dashboard.xml (below)
Click 'save' to complete
To install the FD_Health_Status_Dashboard, the only prerequisite is to be running a supported version of the File Director appliance - this is currently 4.2 update 2 (not 4.3).
THIS SOLUTION AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.