Fire Brigade version 2
Overview
Details
Fire Brigade app 2.0
A Splunk app to provide insight into index state
This application is aimed at helping administrators understand the current
state of their index, as it relates to disk footprint, and the retention
settings for the index.
Due to changes in the operation of dbinspect introduced in Splunk 6.0, as well
as changes to the application packaging, this app by itself is no longer
sufficient to collect data for a standalone system. The TA-fire_brigade
application will also be required, to act as the data collection source.
In a distributed environment, the TA-fire_brigade app will also be required.
In small environments, a single installation of the TA on the search head can
collect data from all of the indexers. In larger installations, however, the
TA should be installed on all indexing nodes, and not on the search head.
The TA (and a saved search within the full app) collects data using the
dbinspect search command. This detail of the constituent buckets in the index
is used to drive several visualizations about the state of the index.
Compatibility
The output from the dbinspect command changed in version 6.0. This app is
specifically tuned for version 6.0 and higher. If you're running Splunk 4.3 or
Splunk 5.x, use TA-fire_brigade version 1.
Thanks and Acknowledgements
Thanks to all of the sites that tested early versions of the application. My
colleagues were helpful in getting the application to a wider audience, as
well as providing critical feedback in improving the dashboards.
Dritan Bitincka, Yisroel Bongart, Tian Chen, Michael Cormier, Joe Cramasta,
Fred de Boer, Octavio di Sciullo, John Dunlea, Nick Filippi, Charles Fox,
Marc Francoeur, Adam Gabel, Thomas Gadbois, Jim Goddard, Bob Hartley,
Tim Hatcher, Zhiyi Huang, Robert Knoeppler, Mark Lindsey, James Lord,
Mike Loven, Nick Malecky, Nate McKervey, Erick Mechler, Craig Nelson,
Shane Newman, Chad O'Neal, Drew Osborne, David Paper, Cheryl Phair,
Rich Prescott, Greg Quale, Vladimir Serebryany, Matthew Settipane,
Sandy Voellinger, Brian Wooden
Supporting Add-Ons
For distributed search environments, this application only needs to be installed on the Search Heads. However, a data collection add-on, TA-fire_brigade version 2 should be installed on the indexers to collect the data required for Fire Brigade.
Release Notes
Version 2.0.3
* Fix the "Bucket Age vs. Age Limit" view to show the searchable span for both live and thawed data.
* Account for the default value of 0 (instead of null) in homePath.maxDataSizeMB and coldPath.maxDataSizeMB.
* Add a new view, the "Retention Overview" to show all of the retention dials on an index at once. This view is interactive, featuring in-page drilldown (6.0 compatible).
* Separated the "time trend" searches from the "current state" searches for improved dashboard performance. It results in more running searches, but the searches themselves are more focused, and can therefore complete more quicky.
* Improve the "Reason" detection / parsing of the "Bucket Lifecycle" view.
Version 2.0.2
* New view added to the nav: Matrix Overview. This is purely REST, and therefore doesn't require waiting on dbinspect (TA-fire_brigade) to do its job.
* Added a search bar to the nav so that it's easy to search with Fire Brigade's macros and knowledge objects.
* Improved the visualization of the "Indexer Host Overview", making it easy to spot at-or-near capacity indexes.
* Various bugfixes.
Version 2.0.1
Fix a user-discovered bug: environments making use of the new distributed dbinspect from the search head alone will observe all the data usage as arising from the search head in some views.
Version 2.0
Provides support for Splunk Enterprise 6.
Showcases some of the new visualization features in Splunk Enterprise 6.