TIPS & TRICKS

Splunk Dashboards outside of Splunk (part 2)

I recently blogged about a cool open source tool which is a Splunk Dashboard. In less than an hour, you could easily bring up a central dashboard to visually oversee Splunk administration duties. Here is a basic review of how to get the dashboard working, in combination with the Check Splunk tool.

Prerequesites:

  • spdash
  • checksplunk
  • crontab competency
  • ssh competency
  • web server competency
  • cgi-bin competency

Even if you are not very familiar with the above items, there is plenty of information available on the web to get things going. The README files that come along with the tools are very useful and should be reviewed before proceeding. The following steps are an outline of what I performed to get the dashboard working:

Step 1: Install the spdash software on the web server host

  • Installed onto my linux server splunkdemo1
  • Installation consisted of: enabling the web server and placing the spdash scripts into the cgi-bin location
  • Runs on top of the OS installed apache web server from /var/www/cgi-bin/spdash
  • Runs on port 80
  • Edited the spdash script so that $STAT directory is located in /opt/demos/splunkdash/status
  • Create the above directory so that it contains ALL of the files used to compose spdash. Logs, statistics, etc… are here

Step 2: Install the checksplunk software on the Splunk server

  • Installed onto my linux server splunkdemo1
  • Installation consisted of: placing the checksplunk script in it’s own directory, creating a directory to store results, and enabling a local crontab to run checksplunk on a regular interval (see step 3 for the example command)
  • OPTIONAL – Install checksplunk onto your other Splunk servers. My example uses hosts located at 10.1.1.1 and 10.1.1.2)

Step 3: Retrieve the checksplunk data

  • Setup a crontab on the web server host to retrieve the checksplunk data

My crontab on splunkdemo1 is as follows:

splunkdemo1>crontab -l
*/5 * * * * /opt/demos/splunkdash/j2ee/checksplunk spdash
*/7 * * * * /opt/demos/splunkdash/email/checksplunk spdash
*/8 * * * * scp root@10.1.1.1:/opt/splunkdash/status/interop* /opt/demos/splunkdash/status/
*/6 * * * * scp root@10.1.1.2:/opt/splunkdash/status/cmdemo* /opt/demos/splunkdash/status/

You will notice that I am running two remote secure copies and two local checksplunk commands. The local checksplunks are configured to feed data to the /opt/demos/splunkdash/status directory.

Once you have checksplunk data feeding to the status directory, the cgi script should immediately pickup the data.

----------------------------------------------------
Thanks!
Simeon Yep

Splunk
Posted by

Splunk

Join the Discussion