Monitoring File Director with Splunk

Version 8

    Verified Product Versions

    AppSense DataNow 3.6AppSense DataNow 3.5AppSense DataNow 3.0AppSense DataNow 4.0AppSense DataNow 4.1AppSense DataNow 4.2AppSense File Director 4.3

    Introduction

    This knowledge article provides steps to allow Splunk to receive and correctly interpret File Director syslog events. It also contains sample reports and dashboards

    Detail

    Ensure inputs.conf, props.conf and transforms.conf have been populated as per the attached files. Note, the contents of these files may need to be adjusted to suit your environment. The examples provided assume a Splunk deployment dedicated to File Director.

     

    The files are found at the following path: /opt/splunk/etc/system/local

     

    Note, these files have been updated on 25th August 2017 to support new features in future versions of File Director (For details on the . The UTC Timezone has also been configured in props.conf to match the output from the appliance allow searching in local time.

     

    Once these have been imported, the operational dashboard prerequisite reports can be configured.

     

    Configure Data Models:

     

     

     

     

     

     

    Upload the following attached .json files to create the Data models:

     

     

     

    See Attachment : MB_Remaining.json (below)

     

    See Attachment : Sync_state_of_users.json (below)

     

    See Attachment : Total_Megabytes.json (below)

     

     

     

    CAUTION: The names must match those in the graphic for the sample reports to work correctly

     

     

     

    Configure Custom Searches, Reports and Alerts:

     

     

     

     

     

     

     

     

    Click 'New' and add the following items:

     

    Name: MB Remaining for Users

     

    Expression:

     

     

    | pivot MB_Remaining SearchObject max(megabytes_remaining) AS "Max of megabytes_remaining" SPLITROW username AS username SORT 100 username ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1

     

     

     

     

     

    Name: Sync State of Users

     

    Expression:

     

     

    | pivot Sync_state_of_users SearchObject max(synced_percentage) AS "Max of synced_percentage" SPLITROW username AS username FILTER synced_percentage = * SORT 100 username ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1

     

     

     

     

     

    Name: Total Megabytes

     

    Expression:

     

     

    | pivot Total_Megabytes SearchObject max(total_megabytes) AS "Total Megabytes" SPLITROW username AS username SORT 100 username ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1

     

     

     

     

     

    Optional steps to create an experimental dashboard for demo purposes:

     

    Create a new dashboard:

     

     

     

     

    Click 'edit / edit source' once you have created the new Dashboard and paste the following XML:

     

    See Attachment : dashboard.xml (below)

     

    Click 'save' to complete

     

     

    To install the FD_Health_Status_Dashboard, the only prerequisite is to be running a supported version of the File Director appliance - this is currently 4.2 update 2 (not 4.3).

     

    THIS SOLUTION AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.

     

    IMPORTANT: Please take care when executing any changes to your systems. We strongly recommend a full system backup is performed prior to use of the supplied solution.

     

     

     

     

     

    References

    www.splunk.com