Skip to main content

Splunk Observability

Splunk Observability allows users to search, monitor, and analyze machine-generated big data. Splunk Observability enables collecting and monitoring metrics, logs, and traces from common data sources. Data collection and monitoring in one place enables full-stack, end-to-end observability of the entire infrastructure.

Splunk Observability is different from the Splunk Core that powers Splunk Cloud / Enterprise and is the traditional log management solution from Splunk. Nobl9 also integrates to that through a different set of APIs.

Authentication

SplunkObservability is SaaS but the URL which indicates the realm (region) needs to be provided. For more details, refer to Realms in Endpoints | Splunk Observability Documentation.

When deploying the N9 agent for SplunkObservability, it is required to provide

SPLUNK_OBSERVABILITY_ACCESS_TOKEN 

as an environment variable for authentication with organization API Access Token (see Create an Access Token | Splunk Observability Documentation). There is a placeholder for that value in configuration obtained from installation instructions in the Nobl9 UI (refer to the Agent Configuration in the UI section).

Adding Splunk Observability Realm

Splunk Observability connection also requires entering your organization’s Realm. Follow the below instructions to get your API endpoint for the Realm in Splunk:

  1. In your Splunk account, go to Settings > Profile.

  2. Go to the Endpoints section

  3. Choose the URL from the API field.

Splunk account

note
  • Access tokens are valid for 30 days.

  • Customers could use Org tokens which are valid for 5 years. Org tokens can also be used to generate session tokens

    • Sample access token for Splunk Observability: t4QJpMY1XLcECzm1c5Jb0A

Adding Splunk Observability as a Data Source in the UI

To add Splunk Observability as a data source in Nobl9 using the Agent or Direct connection method, follow these steps:

  1. Navigate to Integrations > Sources.

  2. Click the plus button button.

  3. Click the Splunk Observability icon.

  4. Choose Direct or Agent, then configure the source as described below.

Splunk Observability Direct

Direct Configuration in the UI

Direct connection to Splunk Observability requires users to enter their credentials which Nobl9 stores safely. To set up this type of connection:

  1. Enter your organization's Realm to connect your data source.
    Refer to the Authentication section above for more details.

  2. Enter the Access Token environment variable for authentication with the organization API Access Token.
    Refer to the Authentication section above for more details.

  3. Select a Project (mandatory).
    Specifying a Project is helpful when multiple users are spread across multiple teams or projects. When the Project field is left blank, a default value appears.

  4. Enter a Display name (optional).
    You can enter a friendly name with spaces in this field.

  5. Enter a Name (mandatory).
    The name is mandatory and can only contain lowercase, alphanumeric characters and dashes (for example, my-project-name). This field is populated automatically when you enter a display name, but you can edit the result.

  6. Enter a Description (optional).
    Here you can add details such as who is responsible for the integration (team/owner) and the purpose of creating it.

  7. Click the Add Data Source button.

Splunk Observability Agent

Agent Configuration in the UI

Follow the instructions below to configure your Splunk Observability Agent. Refer to the section above for the description of the fields.

  1. Enter your organization's Realm to connect your data source.

  2. Enter a Project (mandatory).

  3. Enter a Display name (optional).

  4. Enter a Name (mandatory).

  5. Enter a Description (optional).

  6. Click the Add Data Source button.

Deploying Splunk Observability Agent

When you add the data source, Nobl9 automatically generates a Kubernetes configuration and a Docker command line for you to use to deploy the Agent. Both of these are available in the web UI, under the Agent Configuration section. Be sure to swap in your credentials (e.g., replace the <SPLUNK_OBSERVABILITY_ACCESS_TOKEN> with your organization key).

If you use Kubernetes, you can apply the supplied YAML config file to a Kubernetes cluster to deploy the Agent. It will look something like this:

# DISCLAIMER: This Deployment description is containing only the necessary fields for the purpose of this demo.
# It is not a ready-to-apply k8s deployment description and the client_id as well as the client_secret are only exemplary values.

apiVersion: v1
kind: Secret
metadata:
name: nobl9-agent-nobl9-dev-dwq-ble
namespace: default
type: Opaque
stringData:
splunk_observability_access_token: "<SPLUNK_OBSERVABILITY_ACCESS_TOKEN>"
client_id: "unique_client_id"
client_secret: "unique_client_secret"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nobl9-agent-nobl9-dev-splunkobs-deployment
namespace: default
spec:
replicas: 1
selector:
matchLabels:
nobl9-agent-name: "splunkobs"
nobl9-agent-project: "deployment"
nobl9-agent-organization: "nobl9-dev"
template:
metadata:
labels:
nobl9-agent-name: "splunkobs"
nobl9-agent-project: "deployment"
nobl9-agent-organization: "nobl9-dev"
spec:
containers:
- name: agent-container
image: nobl9/agent:latest
resources:
requests:
memory: "350Mi"
cpu: "0.1"
env:
- name: N9_CLIENT_ID
valueFrom:
secretKeyRef:
key: client_id
name: nobl9-agent-nobl9-dev-splunkobs-deployment
- name: N9_CLIENT_SECRET
valueFrom:
secretKeyRef:
key: client_secret
name: nobl9-agent-nobl9-dev-dwq-ble
- name: SPLUNK_OBSERVABILITY_ACCESS_TOKEN
valueFrom:
secretKeyRef:
key: splunk_observability_access_token
name: nobl9-agent-nobl9-dev-dwq-ble

Creating SLOs with Splunk Observability

Creating SLOs in the UI

Follow the instructions below to create your SLOs with Splunk Observability in the UI:

  1. Navigate to Service Level Objectives.

  2. Click the plus button button.

  3. In step 2, select Splunk Observability as the Data Source for your SLO, then specify the Metric. You can choose either a Threshold Metric, where a single time series is evaluated against a threshold, or a Ratio Metric, which allows you to enter two time series to compare (for example, a count of good requests and total requests). Then, enter a Program (for the Threshold metric), or Program for good counter, and Program for total counter (for the Count metric). The following are program examples:

    1. Threshold metric for Splunk Observability:

      A = data('demo.trans.count', filter=filter('demo_datacenter', 'Tokyo'), rollup='rate').mean().publish(label='A', enable=False);
      B = data('demo.trans.count', filter=filter('demo_datacenter', 'Tokyo'), rollup='rate').stddev().publish(label='B', enable=False);
      C = (B/A).publish(label='C');
    2. Ratio metric for Splunk Observability:

      Program for good counter: data('demo.trans.count', filter=filter('demo_datacenter', 'Tokyo'),rollup='rate').stddev().publish()

      Program for total counter: data('demo.trans.count', filter=filter('demo_datacenter', 'Tokyo'), rollup='rate').mean().publish()

  4. In step 3, define a Time Window for the SLO.

  5. In step 4, specify the Error Budget Calculation Method and your Objective(s).

  6. In step 5, add a Name, Description, and other details about your SLO. You can also select Alert Policies and Labels on this screen.

  7. When you’re done, click Create SLO.

SLOs using Splunk Observability - YAML samples

Here’s an example of Splunk Observability using a rawMetric (Threshold metric):

- apiVersion: n9/v1alpha
kind: SLO
metadata:
name: tokyo-server-4-latency
displayName: Server4 Latency [Tokyo]
project: splunk-observability
spec:
description: Latency of Server4 in Tokyo ragion
service: splunk-observability-demo-service
indicator:
metricSource:
name: splunk-observability
timeWindows:
- unit: Day
count: 1
calendar:
startTime: 2020-01-21 12:30:00
timeZone: America/New_York
budgetingMethod: Occurrences
objectives:
- displayName: Excellent
op: lte
rawMetric:
query:
splunkObservability:
program: 'data('demo.trans.count', filter=filter('demo_datacenter', 'Tokyo'), rollup='rate').mean().publish()'
value: 200
target: 0.8
- displayName: Good
op: lte
rawMetric:
query:
splunkObservability:
program: 'data('demo.trans.count', filter=filter('demo_datacenter', 'Tokyo'), rollup='rate').mean().publish()'
value: 250
target: 0.9
- displayName: Poor
op: lte
rawMetric:
query:
splunkObservability:
program: 'data('demo.trans.count', filter=filter('demo_datacenter', 'Tokyo'), rollup='rate').mean().publish()'
value: 300
target: 0.99

Important notes:

Metric specification from SplunkObservability has 1 field:

  • program – it is a SignalFlow analytics program and is mandatory (string). Search criteria that return exactly one time series. Program needs to return only one key in the data map (one time series). For more details, see the Query Examples section.

Query Examples

For details on Splunk Observability queries syntax, check Signalflow | Splunk Observability Documentation.

Querying the Splunk Observability Server

Nobl9 queries Splunk observability 4 data points every minute, resulting in a 15-second resolution.

Splunk Observability API Rate Limits

You can control your resource usage using org token (Access Tokens) limits. For more information, refer to the Org token limits | Splunk Observability Documentation and the System limits for Splunk Infrastructure Monitoring | Splunk Observability Documentation.

Splunk Observability Cloud Documentation | Splunk Observability Documentation

Create an Access Token | Splunk Observability Documentation

Realms in Endpoints | Splunk Observability Documentation

Signalflow | Splunk Observability Documentation

Org token limits | Splunk Observability Documentation

System limits for Splunk Infrastructure Monitoring | Splunk Observability Documentation