agent_management.conf

The following are the spec and example files for agent_management.conf.

The following are the spec and example files for agent_management.conf.

agent_management.conf.spec

#   Version 10.0.0
#

OVERVIEW

# This file contains descriptions of the settings that you can use to
# configure the Agent Management feature.
#
# There is an agent_management.conf file in the $SPLUNK_HOME/etc/system/default/ directory.
# Never change or copy the configuration files in the default directory.
# The files in the default directory must remain intact and in their original
# location.
#
# To set custom configurations, create a new file with the name agent_management.conf in
# the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings
# that you want to customize to the local configuration file.
# You must restart the Splunk instance to enable configuration changes.
#
# To learn more about configuration files (including file precedence) see the
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

[general]

* Agent Management helper process settings. This stanza must exist.

fallback_to_deployment_server_ui = <boolean>
* Indicates which UI the forwarder_management should use. When set to "false", the forwarder_management uses the agent management UI, When set to "true", the forwarder_management uses the deployment server UI.
* Default: false.

log_level = <string> 
* How verbose the logs are.
* log level = DEBUG | INFO | WARN | ERROR | FATAL
* Default: INFO

request_timeout = <string>
* A global request timeout setting that defines how long the Agent Manager processes a request before it times out.
* Valid values are numbers followed by a time unit.
* Valid time units are "ms", "s", "m", "h".
* Default: 90s.

[search_client]

* Agent Management helper process settings for the SPL subsystem.

polling_interval = <string>
* How long the Agent Manager waits between HTTP calls to retrieve search results.
* Valid values are numbers followed by a time unit.
* Valid time units are "ms", "s", "m", "h".
* Default: 500ms.

query_agents_with_error = <string>
* The SPL search that is run to obtain a list of agents with a status of "error".

query_agents_offline = <string>
* The SPL search that is run to obtain a list of offline agents. 

query_agents_updated_config = <string>
* The SPL search that is run to obtain a list of agents with updated configurations.

query_agent_version = <string>
* The SPL search that is run to obtain a list of agents and their corresponding versions.

query_app_summary = <string>
* The SPL search that is run to obtain a summary of the status of each application.

[splunkd_client]

* Agent Management helper process settings that are used for communicating with splunkd.

connection_pool_size = <integer>
* The number of HTTP connections that can be handled simultaneously by the Agent Manager.
* Default: 10

request_timeout = <string>
* A time limit for HTTP requests made by the Agent Manager to splunkd.
* Valid values are numbers followed by a time unit.
* Valid time units are "ms", "s", "m", "h".
* Default: 60s.

connection_keep_alive = <string>
* The maximum amount of time an idle connection made by the Agent Manager to splunkd remains idle before closing.
* Valid values are numbers followed by a time unit.
* Valid time units are "ms", "s", "m", "h".
* Default: 5m.

[settings_sync]

* The Agent Management helper process settings for the settings synchronization subsystem.
* The settings synchronization subsystem periodically obtains the Deployment Server settings.

polling_interval = <string>
* How long the Agent Manager waits between HTTP calls to retrieve the Deployment Server settings.
* Valid values are numbers followed by a time unit.
* Valid time units are "ms", "s", "m", "h".
* Default: 5m.

[effective_configuration]

* Settings dedicated to the Effective Configuration feature.

max_size = <positive integer>
* The maximum size, in megabytes, of the effective configuration 
  that the universal forwarder sends to the Agent Manager, and that
  the deployment server saves.
* The effective configuration of the forwarder is comprised of 
  the rules of operation and data processing for the forwarder,
  specifically, the configuration as shown by various 'splunk
  btool' commands.
* If the size of the effective configuration for a forwarder
  exceeds this value, then the Agent Manager rejects the payload
  as too large, and the deployment server does not save
  the configuration.
* Must be a positive number.
* Default: 16

cleanup_threshold = <positive integer>
* The limit of the total size of all effective configurations
  data on the disk (in MB). When this limit is exceeded,
  the scheduled cron cleanup job will perform the cleanup.
* There is no maximum value for this setting, a very large value
  (over 10000) can cause the cleanup to never run.
* Must be a positive number.
* Default: 6144

cleanup_schedule = <string>
* The cron schedule for cleaning up the effective configuration data.
* The default schedule is set to 3:00 AM every day in the local time zone.
* To turn off the effective configuration cleanup, set the value to "disabled".
* Must be in the cron format.
* Default: 0 3 * * *

agent_management.conf.example

#   Version 10.0.0
#
# This is an example agent_management.conf. Use this file to configure the Agent Management
# settings, such as specifying the connection pool size or timeouts.
#
# There is an agent_management.conf file in the $SPLUNK_HOME/etc/system/default/ directory.
# Never change or copy the configuration files in the default directory.
# The files in the default directory must remain intact and in their original
# location.
#
# To set custom configurations, create a new file with the name agent_management.conf in
# the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings
# that you want to customize to the local configuration file.
# You must restart the Splunk instance to enable configuration changes.
#
# To learn more about configuration files (including file precedence) see the
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

[general]
# Indicates which UI the forwarder_management should use. When set to 'false', the forwarder_management uses the agent management UI, When set to 'true', the forwarder_management uses the deployment server UI.
fallback_to_deployment_server_ui = false
# How verbose the logs are.
log_level=INFO
# A global request timeout setting that defines how long the Agent Manager processes a request before it times out.
request_timeout=90s

[search_client]
# How long the Agent Manager waits between HTTP calls to retrieve search results.
polling_interval = 500ms

# The SPL search that is run to obtain a list of agents with a status of "error".
query_agents_with_error = | tstats latest(data.result) as latestResult where index=_dsappevent by data.clientId, data.appName \
| search latestResult!="Ok" \
| join data.clientId [ tstats dc(data.clientId) where earliest=%d index=_dsphonehome by data.clientId ] \
| stats dc(data.clientId) as count

# The SPL search that is run to obtain a list of offline agents.
query_agents_offline = | tstats min(data.lastPhoneHomeTime) as min_time max(data.lastPhoneHomeTime) as max_time count where index=_dsphonehome earliest=%d by data.clientId \
| eval averagePhoneHomeInterval=(max_time-min_time)/(count-1), seconds=(now()-max_time) \
| eval offlineThresholdSeconds=(1.05*averagePhoneHomeInterval+20) \
| where seconds>offlineThresholdSeconds \
| stats count

# The SPL search that is run to obtain a list of agents with updated configurations.
query_agents_updated_config = | tstats dc(data.clientId) as count where index=_dsappevent earliest=%d \
(data.action="Install" OR data.action="Uninstall") AND data.result="Ok"

# The SPL search that is run to obtain a list of agents and their corresponding versions.
query_agent_version = search index=_dsclient \
| stats latest(data.splunkVersion) as version by data.clientId data.package \
| dedup version data.package \
| table version data.package \
| rename data.package as agentType

# The SPL search that is run to obtain a summary of the status of each application.
query_app_summary = | tstats latest(data.action) as lastAction latest(data.result) as lastResult where index=_dsappevent %s by data.clientId data.appName \
| join data.clientId [ tstats dc(data.clientId) where index=_dsphonehome earliest=%d by data.clientId ] \
| stats count(eval(lastAction="Install" AND lastResult="Ok")) AS installedApplications, count(eval(lastResult!="Ok")) AS failedApplications by data.appName

[splunkd_client]
# The number of HTTP connections that can be handled simultaneously by the Agent Manager.
connection_pool_size = 10
# A time limit for HTTP requests made by the Agent Manager to splunkd.
request_timeout = 60s
# The maximum amount of time an idle connection made by the Agent Manager to splunkd remains idle before closing.
connection_keep_alive = 5m

[settings_sync]
# How long the Agent Manager waits between HTTP calls to retrieve the Deployment Server settings.
polling_interval = 5m

[effective_configuration]
# Maximum size in megabytes of effective configuration sent to AM and saved by server.
max_size = 16
# The total size of all effective configurations on the disk (in MB) that enables cleaning in a cron job when exceeded.
cleanup_threshold = 6144
# The cron schedule for triggering cleaning up the effective configuration data.
cleanup_schedule = 0 3 * * *