Splunk

Reading time: 0 minute(s) (0 words)

Splunk provides software for searching, monitoring, and analyzing machine-generated data via a Web-style interface. Splunk-Nobl9 integration allows users to enter their metrics using the Splunk Processing Language (SPL).

Splunk parameters and supported features in Nobl9

General support:

Release channel: Stable, Beta

Connection method: Agent, Direct

Replay and SLI Analyzer: Historical data limit 30 days

Event logs: Supported

Query checker: Not supported

Query parameters retrieval: Supported

Timestamp cache persistence: Supported

---

Query parameters:

Query interval: 1 min

Query delay: 5 min

Jitter: 20 sec

Timeout: 30 sec

---

Agent details and minimum required versions for supported features:

Plugin name: n9splunk

Query delay environment variable: SPLUNK_QUERY_DELAY

Replay and SLI Analyzer: 0.65.0

Query parameters retrieval: 0.73.2

Timestamp cache persistence: 0.65.0

Custom HTTP headers: 0.89.1-beta

---

Additional notes:

Self-signed Splunk Enterprise certificates are not supported. Nobl9 requires successful certificate validation for any Splunk Enterprise instance using TLS, and self-signed certificates cannot pass this validation

Creating SLOs with Splunk

Nobl9 Web

1. Navigate to Service Level Objectives.

2. Click .

3. Select a Service.
   It will be the location for your SLO in Nobl9.

4. Select Splunk as the data source for your SLO.

5. Modify Period for Historical Data Retrieval, when necessary.

   • This value defines how far back in the past your data will be retrieved when replaying your SLO based on Splunk.
   • A longer period can extend the data loading time for your SLO.
   • Must be a positive whole number up to the maximum period value you've set when adding the Splunk data source.

6. Select the Metric type:

   • Threshold Metric, where a single time series is evaluated against a threshold.

   • Ratio Metric, where you enter two time series for a good and total counter.

   • Ratio Metric, where you can select the query structure: Single query or Two queries.

     • Using the Single query option, you enter one query to compare both time series: for the good and total counters.

     • The Two queries option allows you to enter two time series to compare—a count of good requests and total requests.

     For the ratio metrics, select the Data Count Method:

     • Non-incremental: counts incoming metric values one-by-one. So the resulting SLO graph is pike-shaped.
     • Incremental: counts the incoming metric values incrementally, adding every next value to previous values. It results in a constantly increasing SLO graph.

7. Define the Query. It must be in the Splunk Search Processing Language and meet the following requirements:

   • Every query must contain n9 fields, and Splunk must return their values in the dataset:
   The required n9 values per metric type

   Threshold	Two-query ratio	Single-query ratio	Description
   n9time	n9time	n9time	A Unix timestamp
   n9value	n9value	not required	Float number
   not required	not required	n9good	Float number
   not required	not required	n9total	Float number

   • The query can retrieve data from either Events or Metrics Splunk indexes.

   • Nobl9 validates the queries to contain the respective n9 field along with index= with the value.

   • Dataset time ranges are segmented into 15-second chunks and aggregated as shown in the table:

     Dataset aggregation

     Threshold	Ratio incremental	Ratio non-incremental
     Average	Maximum value	Sum of values

SLI values for good and total

When choosing the query for the ratio SLI (countMetrics), keep in mind that the values ​​resulting from that query for both good and total:

• Must be positive.
• While we recommend using integers, fractions are also acceptable.
• If using fractions, we recommend them to be larger than 1e-4 = 0.0001.
• Shouldn't be larger than 1e+20.

8. Define the Time window for your SLO:

   • Rolling time windows constantly move forward as time passes. This type can help track the most recent events.
   • Calendar-aligned time windows are usable for SLOs intended to map to business metrics measured on a calendar-aligned basis.
9. Configure the Error budget calculation method and Objectives:

   • Occurrences method counts good attempts against the count of total attempts.
   • Time Slices method measures how many good minutes were achieved (when a system operates within defined boundaries) during a time window.
   • You can define up to 12 objectives for an SLO.
   
   
   Similar threshold values for objectives
   To use similar threshold values for different objectives in your SLO, we recommend differentiating them by setting varying decimal points for each objective.
   For example, if you want to use threshold value 1 for two objectives, set it to 1.0000001 for the first objective and to 1.0000002 for the second one.
   Learn more about threshold value uniqueness.
10. Add the Display name, Name, and other settings for your SLO:

    • Name identifies your SLO in Nobl9. After you save the SLO, its name becomes read-only.
      Use only lowercase letters, numbers, and dashes.
    • Create composite SLO: with this option selected, you create a composite SLO 1.0. Composite SLOs 1.0 are deprecated. They're fully operable; however, we encourage you to create new composite SLOs 2.0.
      You can create composite SLOs 2.0 with sloctl using the provided template. Alternatively, you can create a composite SLO 2.0 with Nobl9 Terraform provider.
    • Set Notifications on data. With it, Nobl9 will notify you in the cases when SLO won't be reporting data for more than 15 minutes.
    • Add alert policies, labels, and links, if required.
      Up to 20 items of each type per SLO is allowed.
11. Click CREATE SLO.


SLO configuration use case
Check the SLO configuration use case for a real-life SLO example.

sloctl

Threshold (rawMetric)

Sample Splunk threshold SLO

apiVersion: n9/v1alpha
kind: SLO
metadata:
  name: api-server-slo
  displayName: API Server SLO
  project: default
  labels:
    area:
      - latency
      - slow-check
    env:
      - prod
      - dev
    region:
      - us
      - eu
    team:
      - green
      - sales
  annotations:
    area: latency
    env: prod
    region: us
    team: sales
spec:
  description: Example Splunk SLO
  indicator:
    metricSource:
      name: splunk
      project: default
      kind: Agent
  budgetingMethod: Occurrences
  objectives:
    - displayName: Good response (200)
      value: 200
      name: ok
      target: 0.95
      rawMetric:
        query:
          splunk:
            query: >-
              index=* source=udp:5072 sourcetype=syslog status<400 | bucket
              _time span=1m | stats avg(response_time) as n9value by _time |
              rename _time as n9time | fields n9time n9value
      op: lte
      primary: true
  service: api-server
  timeWindows:
    - unit: Month
      count: 1
      isRolling: false
      calendar:
        startTime: 2022-12-01T00:00:00.000Z
        timeZone: UTC
  alertPolicies:
    - fast-burn-5x-for-last-10m
  attachments:
    - url: https://docs.nobl9.com
      displayName: Nobl9 Documentation
  anomalyConfig:
    noData:
      alertMethods:
        - name: slack-notification
          project: default

Ratio (countMetric) two queries

Sample Splunk two-query ratio SLO

apiVersion: n9/v1alpha
kind: SLO
metadata:
  name: api-server-slo
  displayName: API Server SLO
  project: default
  labels:
    area:
      - latency
      - slow-check
    env:
      - prod
      - dev
    region:
      - us
      - eu
    team:
      - green
      - sales
  annotations:
    area: latency
    env: prod
    region: us
    team: sales
spec:
  description: Example Splunk SLO
  indicator:
    metricSource:
      name: splunk
      project: default
      kind: Agent
  budgetingMethod: Occurrences
  objectives:
    - displayName: Good response (200)
      value: 1
      name: ok
      target: 0.95
      countMetrics:
        incremental: true
        good:
          splunk:
            query: >-
              index=* source=udp:5072 sourcetype=syslog status<400 | bucket
              _time span=1m | stats count as n9value by _time | rename _time as
              n9time | fields n9time n9value
        total:
          splunk:
            query: >-
              index=* source=udp:5072 sourcetype=syslog | bucket _time span=1m |
              stats count as n9value by _time | rename _time as n9time | fields
              n9time n9value
      primary: true
  service: api-server
  timeWindows:
    - unit: Month
      count: 1
      isRolling: false
      calendar:
        startTime: 2022-12-01T00:00:00.000Z
        timeZone: UTC
  alertPolicies:
    - fast-burn-5x-for-last-10m
  attachments:
    - url: https://docs.nobl9.com
      displayName: Nobl9 Documentation
  anomalyConfig:
    noData:
      alertMethods:
        - name: slack-notification
          project: default

Ratio (countMetric) single query

Sample Splunk single-query ratio SLO

- apiVersion: n9/v1alpha
  kind: SLO
  metadata:
    name: my-splunk-ratio-single-query-slo
    project: my-project
    #displayName: My Splunk ratio SLO single query
    #labels:
    #  area:
    #    - latency
    #    - slow-check
    #  team:
    #    - green
    #    - sales
    #annotations:
    #  area: latency
    #  team: sales
  spec:
    #description: Sample Splunk ratio SLO single query
    indicator:
      metricSource:
        name: splunk
        project: my-project
        kind: Agent
    budgetingMethod: Timeslices
    objectives:
      - name: my-objective
        #displayName: My objective (200)
        value: 1.0
        target: 0.95
        timeSliceTarget: 0.9
        countMetrics:
          incremental: true
          goodTotal:
            splunk:
              query: |-
                | mstats avg("spl.intr.resource_usage.IOWait.data.avg_cpu_pct") as n9good WHERE index="_metrics" span=15s
                | join type=left _time [
                | mstats avg("spl.intr.resource_usage.IOWait.data.max_cpus_pct") as n9total WHERE index="_metrics" span=15s]
                | rename _time as n9time 
                | fields n9time n9good n9total
        primary: true
    service: my-service
    timeWindows:
      - unit: Hour
        count: 1
        isRolling: true
    #alertPolicies:
    #  - my-alert-policy
    #attachments:
    #  - url: https://my-url.com
    #    displayName: My URL
    #anomalyConfig:
    #  noData:
    #    alertMethods:
    #      - name: my-alert-method
    #        project: my-project

Query tips, requirements, and samples

• For the best experience, keep query run time short enough to return results within 1–2 minutes. For example, when you query data for the last 15 minutes, the response should return within less than one minute.
  You can check query duration using Splunk's Search Job Inspector or learn quick tips for query optimization.

• Agent version requirements for single-query ratio metrics

  Name	Stable	Beta
  Single-query ratio metric	0.80.0	0.80.0-beta
  Replay and SLI Analyzer	0.82.2	0.82.0-beta

• Every query must contain n9 fields, and Splunk must return their values in the dataset. The n9 fields are as follows:

  The required n9 values per metric type

  Threshold	Two-query ratio	Single-query ratio	Description
  n9time	n9time	n9time	A Unix timestamp
  n9value	n9value	not required	Float number
  not required	not required	n9good	Float number
  not required	not required	n9total	Float number

  Use Splunk field extractions to return values with the exact names. The n9time is the actual time, and the n9value, n9good, and n9total are metric values.

  Typically, you rename _time to n9time and the field containing metric values (for example, response_time)—to the n9value, n9good, or n9total.

  For example,

  index=myserver-events source=udp:5072 sourcetype=syslog response_time>0
  | rename _time as n9time, response_time as n9value
  | fields n9time n9value
  Query frequency

  The Splunk query is by default executed once per minute, returning the values found in the fields n9time and n9value. Ensure your hardware can support the query frequency or consider increasing the Query Interval.

• The query can retrieve data from either Events or Metrics Splunk indexes.

  • Nobl9 validates the queries to contain the respective n9 field along with index= with the value.

  • Dataset time ranges are segmented into 15-second chunks and aggregated. The aggregation is as follows:

    Dataset aggregation

    Threshold	Ratio incremental	Ratio non-incremental
    Average	Maximum value	Sum of values

• The index attribute ("index=index_name") lets avoiding long-running queries.

  • The query can retrieve data from both the Events and Metrics indexes.
  • To retrieve Metrics data, use the | mstats command.
  • To retrieve data from the Events and Metrics indexes, enter the SPL query and select a proper index: index=_metrics or index=_events, where _metrics is the name of the metrics index, and _events is the name of the events index.

• Sample query for the Events index:

search index=_events sourcetype=syslog status<400
| bucket _time span=1m
| stats count as n9value by _time
| rename _time as n9time
| fields n9time n9value

• Sample query for the Metrics index:

| mstats avg("my.metric") as n9value WHERE index=_metrics span=15s
| rename _time as n9time
| fields n9time n9value

• Sample single query for the Metrics index:

| mstats avg("spl.intr.resource_usage.IOWait.data.avg_cpu_pct") as n9good WHERE index="_metrics" span=15s
| join type=left _time [
| mstats avg("spl.intr.resource_usage.IOWait.data.max_cpus_pct") as n9total WHERE index="_metrics" span=15s]
| rename _time as n9time
| fields n9time n9good n9total

Querying Splunk server

The Nobl9 agent leverages Splunk Enterprise API parameters. It pulls data at a per-minute interval from the Splunk server.

API rate limits for the Nobl9 agent

Splunk Enterprise API rate limits are configured by its administrators. Rate limits must be high enough to accommodate searches from the Nobl9 agent. The Nobl9 agent makes one query per minute per unique query.

Read more in Maximum and actual search concurrency calculations | Splunk community.

Concurrent searches

For the best results, the number of concurrent searches must be about the same as the number of SLIs you have for this data source.

Number of events returned from Splunk queries

Supported search SPL command searches within indexed events. The total number of events can be large, and a query without specific conditions, such as search sourcetype=*, returns all indexed events. A large number of data points sent to Nobl9 could disrupt the system’s performance. Therefore, there is a hard limit of 4 events per minute.

File-based queries and Splunk disk quota

If you’re using file-based queries (the inputlookup function) instead of index-based queries, your query might not work as expected. Due to the difference in jitter configuration between Splunk and Nobl9, you might need to increase your Splunk disk quota for the inputlookup function to work properly.

To determine the appropriate disk quota size for your Splunk account, we recommend the following steps:

1. Go to the Splunk UI and navigate to Activity > Jobs.
2. Filter the logs by the user you currently use in Nobl9 App.
3. Execute requests at 29-second intervals to gather all logs from the corresponding cycle.
4. Sum the sizes of all requests from the list to determine the minimum disk quota. It is important to add a buffer to this number for safety.
5. Once you have created more SLOs, adjust the disk quota accordingly.

We suggest increasing the quota to 2GB to resolve the issue. However, it’s important to note that the final disk quota size will depend on the data being queried.

Known limitations

Query limitations:

• earliest and latest are not allowed in the Time Range Modifiers search command.

Useful links

For a more in-depth look, consult additional resources:

REST accessSplunk docsCreate auth tokensSplunk docsAgent metricsAgentCreating SLOs via TerraformTerraformCreating agents via TerraformTerraform