Create and maintain metric rollup policies through the REST API

When you reach the limit of what you can do with metric rollup policies through Splunk Web, and if you do not have access to the metric_rollups.conf files for your Splunk implementation, you can create, update, and delete metric rollup policies through manual calls to the /catalog/metricstore/rollup REST endpoint.

The following prerequisites apply to all of the procedures in this topic.

Prerequisites

Note: The Splunk Cloud Platform does not support the metrics rollup feature.

Give metric rollup policies features that are unavailable through Splunk Web

When you create or update your metric rollup policies through REST calls, you can give them optional features that are unavailable in Splunk Web by adding them as POST request parameters in your REST calls to the /catalog/metricstore/rollup or the /catalog/metricstore/rollup/{index} endpoints.

Optional feature POST request parameter Description How it improves over Splunk Web
Provide multiple aggregation functions default_agg A list of aggregation functions, separated by # characters. Provides the set of aggregation functions that the rollup search uses when it aggregates the metric data points in the source metric index for a rollup summary. The default_agg parameter can be overruled for specific metrics by the metric_overrides parameter. Metric rollup policies created in Splunk Web are limited to aggregating metrics with avg.
Metric filtering metric_list and metric_list_type These parameters combine to create a filter at the search head that allows certain metrics to be rolled up to the summary but not others. You can designate a set of metric names and then say whether all metrics but those metrics should be excluded or included in the rollup summaries. In Splunk Web, you cannot design a rollup policy that filters specific metrics out of the resulting rollup summaries.
Multiple aggregation functions for metric exclusion rules metric_overrides You can define exclusion rules that specify two or more alternate aggregation functions for a metric. Use this parameter to override the default aggregation for one or more metrics. Each metric override pairs a metric name with one or more aggregation functions separated by # characters. In Splunk Web, you can only specify one alternate aggregation function for a metric.

Create metric rollup policies for apps other than Search & Reporting

By default, metric rollup policies that you create with Splunk Web are given the context of the Search & Reporting app. However, with a REST API call, you can create metric rollup policies in the context of any app you prefer.

To do this, use the /catalog/metricstore/rollup endpoint and embed the app folder name in the endpoint URL. Follow this syntax: 

https://localhost:8089/servicesNS/nobody/<app-name>/catalog/metricstore/rollup

This generates a metric rollup policy in the context of the named app. If you omit the app name, the Splunk platform defaults to search, for the Search and Reporting app.

Note: You cannot designate specific owners for metric rollup policies. If you try to designate one, the system will reset its ownership to "nobody," meaning that it is shared by all users.

Here is an example of a REST call that creates a metric rollup policy for a Buttercup Games app. The metric rollup policy summarizes data on a source index named index_s and places it in two summaries on two target indexes. 

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/buttercupgames/catalog/metricstore/rollup -d name=index_s -d default_agg=avg#max -d dimension_list="app,region" -d dimension_list_type=included -d metric_overrides="foo2|count#avg,foo1|min#avg" -d summaries="1h|index_d_1h,1d|index_d_1d" -d metric_list="foo3,foo4" -d metric_list_type=excluded

For details about the POST request parameters in this REST call, see the entry for the catalog/metricstore/rollup endpoint in the REST API Reference Manual.