Hi folks,
I'm sharing a new template I've developed to monitor Splunk Enterprise using the Splunk REST API. This template provides comprehensive monitoring of license status, server health, system information, and configuration.
Licesing monitoring:
- Quota usage (peers, slaves, total, used %)
- Automatic license discovery with LLD, filtering the default Splunk licenses (macro not matches. ^F+D*$)
- Monitor each license individually
- License State
- Licenses type
- Trigger for license caducity (60d info, 30d warn, 15d avg, 5d high, <1d crit) all configurable by macros
- Trigger license expired (critical)
- Trigger for quota user % (>80, >90%, >95%, 100%)
Health moitoring:
- Overall health of splunkd
- File Monitor Health
- Http Event Collector Health (HEC)
- Index Processor Health
- Resource Usage Health
- Search Scheduler Health
- Workload Management Health
System information:
- Splunk version and build
- CPU Architecture
- Ports configuration
- Path configuration (Splunk_DB, Splunk_HOME)
Other features:
- I tried to avoid many api calls using 1 master call (for 3 endpoints) and then all other items are Dependant item with "Discarded with heartbeat" preprocessing.
- Preprocessing for remove sensitive data (pass4SymmKey) before zabbix "saves" on the raw item (javascript preprocessing to remove the key).
- Triggers with dependencies (avoiding duplicated alerts).
- Macro driven configuration
- Also has some triggers for check API connectivity ( No data for 30 minutes )
Required Macros:
- {$SPLUNK.ENTERPRISE.API.BASEURL} - API URL (e.g., https://mysplunk.com:8089)
- {$SPLUNK.ENTERPRISE.API.USER} - API Username
- {$SPLUNK.ENTERPRISE.API.PASSWORD} - API Password
API Endpoints Used:
- /services/licenser/licenses​ (for Discovery rule)
- /services/licenser/usage/license_usage
- /services/server/health/splunkd/details
- /services/server/info
- /services/server/settings
Tested on:
- Splunk Enterprise Developer License v9.4.1 version (onprem, proxmox vm)
- Following the REST API v10 guide https://help.splunk.com/en/splunk-en...reference-list
- Zabbix 7.4.6 (but I think that will work on any 7.x and 6.x versions)
Github: https://github.com/guillerg86/zabbix-splunk
I'd love to hear your feedback, suggestions, or improvements! If you have ideas for additional features, encounter any issues, or want to contribute to the template, please feel free.
I'm sharing a new template I've developed to monitor Splunk Enterprise using the Splunk REST API. This template provides comprehensive monitoring of license status, server health, system information, and configuration.
Licesing monitoring:
- Quota usage (peers, slaves, total, used %)
- Automatic license discovery with LLD, filtering the default Splunk licenses (macro not matches. ^F+D*$)
- Monitor each license individually
- License State
- Licenses type
- Trigger for license caducity (60d info, 30d warn, 15d avg, 5d high, <1d crit) all configurable by macros
- Trigger license expired (critical)
- Trigger for quota user % (>80, >90%, >95%, 100%)
Health moitoring:
- Overall health of splunkd
- File Monitor Health
- Http Event Collector Health (HEC)
- Index Processor Health
- Resource Usage Health
- Search Scheduler Health
- Workload Management Health
System information:
- Splunk version and build
- CPU Architecture
- Ports configuration
- Path configuration (Splunk_DB, Splunk_HOME)
Other features:
- I tried to avoid many api calls using 1 master call (for 3 endpoints) and then all other items are Dependant item with "Discarded with heartbeat" preprocessing.
- Preprocessing for remove sensitive data (pass4SymmKey) before zabbix "saves" on the raw item (javascript preprocessing to remove the key).
- Triggers with dependencies (avoiding duplicated alerts).
- Macro driven configuration
- Also has some triggers for check API connectivity ( No data for 30 minutes )
Required Macros:
- {$SPLUNK.ENTERPRISE.API.BASEURL} - API URL (e.g., https://mysplunk.com:8089)
- {$SPLUNK.ENTERPRISE.API.USER} - API Username
- {$SPLUNK.ENTERPRISE.API.PASSWORD} - API Password
API Endpoints Used:
- /services/licenser/licenses​ (for Discovery rule)
- /services/licenser/usage/license_usage
- /services/server/health/splunkd/details
- /services/server/info
- /services/server/settings
Tested on:
- Splunk Enterprise Developer License v9.4.1 version (onprem, proxmox vm)
- Following the REST API v10 guide https://help.splunk.com/en/splunk-en...reference-list
- Zabbix 7.4.6 (but I think that will work on any 7.x and 6.x versions)
Github: https://github.com/guillerg86/zabbix-splunk
I'd love to hear your feedback, suggestions, or improvements! If you have ideas for additional features, encounter any issues, or want to contribute to the template, please feel free.
Attached Files