Skip to main content

Splunkenterprise Receiver

Status Available in: contrib Maintainers: @shalper2, @MovieStoreGuy, @greatestusername Source: opentelemetry-collector-contrib

Supported Telemetry

Metrics

Overview

Configuration

By default the Splunk Enterprise receiver is not configured to gather any metrics other than splunk.health The following settings are required, omitting them will either cause your receiver to fail to compile or result in 4/5xx return codes during scraping. NOTE: These must be set for each Splunk instance type (indexer, search head, or cluster master) from which you wish to pull metrics. At present, only one of each type is accepted, per configured receiver instance. This means, for example, that if you have three different “indexer” type instances that you would like to pull metrics from you will need to configure three different splunkenterprise receivers for each indexer node you wish to monitor.
  • basicauth (from basicauthextension): A configured stanza for the basicauthextension.
  • auth (no default): String name referencing your auth extension.
  • endpoint (no default): your Splunk Enterprise host’s endpoint.
The following settings are optional:
  • collection_interval (default: 10m): The time between scrape attempts.
  • timeout (default: 60s): The time the scrape function will wait for a response before returning empty.
  • build_version_info (default: false): Elect to run an additional scrape which will retrieve build and version info for the configured endpoints and attach this as attributes to the selected metrics. A value of false will report an empty string as the attribute value but will speed up the receiver slightly.

Basic Example:

extensions:
    basicauth/indexer:
        client_auth:
            username: admin
            password: securityFirst
    basicauth/cluster_master:
        client_auth:
            username: admin
            password: securityFirst

receivers:
    splunkenterprise:
        indexer:
            auth: 
              authenticator: basicauth/indexer
            endpoint: "https://localhost:8089"
            timeout: 45s
        cluster_master:
            auth: 
              authenticator: basicauth/cluster_master
            endpoint: "https://localhost:8089"
            timeout: 45s

exporters:
  debug:
    verbosity: basic

service:
  extensions: [basicauth/indexer, basicauth/cluster_master]
  pipelines:
    metrics:
      receivers: [splunkenterprise]
      exporters: [debug]

Individual Cluster Config Example (with specific metrics enabled/disabled):

extensions:
  basicauth/indexer:
    client_auth:
      username: admin_user
      password: XXXXXXXXX
  basicauth/cluster_master:
    client_auth:
      username: admin_user
      password: XXXXXXXXX
  basicauth/search_head:
    client_auth:
      username: admin_user
      password: XXXXXXXXX
  basicauth/monitoring_console:
    client_auth:
      username: admin_user
      password: XXXXXXXXX

receivers:
  splunkenterprise/indexer:
    indexer:
      auth:
        authenticator: basicauth/indexer
      endpoint: "https://ip.ip.ip.ip:8089"
      tls:
        insecure_skip_verify: true
    metrics:
      splunk.indexer.throughput:
        enabled: true
      splunk.data.indexes.extended.total.size:
        enabled: true
      splunk.data.indexes.extended.event.count:
        enabled: true
      splunk.data.indexes.extended.raw.size:
        enabled: true
      splunk.data.indexes.extended.bucket.event.count:
        enabled: true
      splunk.data.indexes.extended.bucket.count:
        enabled: true
      splunk.data.indexes.extended.bucket.hot.count:
        enabled: true
      splunk.data.indexes.extended.bucket.warm.count:
        enabled: true
      splunk.server.introspection.queues.current:
        enabled: true
      splunk.server.introspection.queues.current.bytes:
        enabled: true
      splunk.health:
        enabled: false
      

  splunkenterprise/cluster_master:
    cluster_master:
      auth:
        authenticator: basicauth/cluster_master
      endpoint: "https://ip.ip.ip.ip:8089"
      tls:
        insecure_skip_verify: true
    metrics:
      splunk.parse.queue.ratio:  
        enabled: true
      splunk.indexer.avg.rate:
        enabled: true
      splunk.pipeline.set.count:
        enabled: true
      splunk.aggregation.queue.ratio:
        enabled: true
      splunk.typing.queue.ratio:
        enabled: true
      splunk.indexer.queue.ratio:
        enabled: true
      splunk.indexes.bucket.count:
        enabled: true
      splunk.indexes.size:
        enabled: true
      splunk.indexer.raw.write.time:  
        enabled: true
      splunk.indexer.cpu.time:
        enabled: true
      splunk.indexes.avg.size:
        enabled: true
      splunk.indexes.avg.usage:
        enabled: true
      splunk.indexes.median.data.age: 
        enabled: true
      splunk.scheduler.avg.execution.latency:
        enabled: true
      splunk.scheduler.completion.ratio:
        enabled: true
      splunk.scheduler.avg.run.time:
        enabled: true
      splunk.buckets.searchable.status:
        enabled: true
      splunk.health:
        enabled: true


  splunkenterprise/monitoring_console:
    cluster_master:
      auth:
        authenticator: basicauth/monitoring_console
      endpoint: "https://ip.ip.ip.ip:8089"
      tls:
        insecure_skip_verify: true
    metrics:
      splunk.parse.queue.ratio:  
        enabled: true
      splunk.indexer.avg.rate:
        enabled: true
      splunk.pipeline.set.count:
        enabled: true
      splunk.aggregation.queue.ratio:
        enabled: true
      splunk.typing.queue.ratio:
        enabled: true
      splunk.indexer.queue.ratio:
        enabled: true
      splunk.indexes.bucket.count:
        enabled: true
      splunk.indexes.size:
        enabled: true
      splunk.indexer.raw.write.time:  
        enabled: true
      splunk.indexer.cpu.time:
        enabled: true
      splunk.indexes.avg.size:
        enabled: true
      splunk.indexes.avg.usage:
        enabled: true
      splunk.indexes.median.data.age: 
        enabled: true
      splunk.scheduler.avg.execution.latency:
        enabled: true
      splunk.scheduler.completion.ratio:
        enabled: true
      splunk.scheduler.avg.run.time:
        enabled: true
      splunk.buckets.searchable.status:
        enabled: true
      splunk.health:
        enabled: true

  splunkenterprise/search_head:
    search_head:
      auth:
        authenticator: basicauth/search_head
      endpoint: "https://ip.ip.ip.ip:8089"
      tls:
        insecure_skip_verify: true
    metrics:
      splunk.server.searchartifacts.adhoc:
        enabled: true
      splunk.server.searchartifacts.scheduled:
        enabled: true
      splunk.server.searchartifacts.completed:
        enabled: true
      splunk.server.searchartifacts.incomplete:
        enabled: true
      splunk.server.searchartifacts.invalid:
        enabled: true
      splunk.server.searchartifacts.savedsearches:
        enabled: true
      splunk.server.searchartifacts.job.cache.size:
        enabled: true
      splunk.server.searchartifacts.job.cache.count:
        enabled: true
      splunk.server.searchartifacts.adhoc.size:
        enabled: true
      splunk.server.searchartifacts.scheduled.size:
        enabled: true
      splunk.server.searchartifacts.completed.size:
        enabled: true
      splunk.server.searchartifacts.incomplete.size:
        enabled: true
      splunk.search.duration:
        enabled: true
      splunk.search.initiation:
        enabled: true
      splunk.search.status:
        enabled: true
      splunk.search.success:
        enabled: true
      splunk.kvstore.status:
        enabled: true
      splunk.kvstore.replication.status:
        enabled: true
      splunk.kvstore.backup.status:
        enabled: true
      splunk.health:
        enabled: false

service:
  extensions: [basicauth/indexer, basicauth/cluster_master, basicauth/monitoring_console, basicauth/search_head]
  pipelines:
    metrics:
      receivers: [splunkenterprise/indexer, splunkenterprise/cluster_master, splunkenterprise/monitoring_console, splunkenterprise/search_head]
      exporters: [otlp_grpc]

Custom SPL Searches

The receiver supports running arbitrary SPL searches against configured Splunk endpoints. This allows you to create custom metrics from any data available in your Splunk deployment. WARNING: Custom searches execute ad-hoc searches on your Splunk deployment. Be mindful of the performance impact, especially with complex searches or short collection intervals.

Search Configuration

Each custom search requires:
  • spl (required): The SPL search string. Can be provided as a single line or multi-line YAML block.
  • target (required): The endpoint type to run the search against. Must be one of: indexer, search_head, or cluster_master.
  • earliest (optional): The earliest time for the search. Defaults to -{collection_interval} (e.g., -10m if collection_interval is 10m). Ignored if SPL already contains earliest=.
  • latest (optional): The latest time for the search. Defaults to now. Ignored if SPL already contains latest=.
  • metrics (required): A list of metric definitions that map search result columns to OTel metrics.
Note on time ranges:
  • For regular searches (like index=_internal | stats count), the receiver automatically adds earliest and latest time modifiers.
  • For generating commands that start with | (other than | tstats), no time range is added since these commands handle time differently.
    • Receiver will correctly add a time range to searches that begin with | tstats
Each metric definition supports:
  • metric_name (required): The name of the metric to emit (e.g., splunk.custom.event_count).
  • value_column (required): The column name from the SPL results that contains the metric value.
  • attribute_columns (optional): List of column names to include as metric attributes.
  • value_type (optional): Either int (default) or double.
  • unit (optional): The unit of measurement (e.g., {count}, By, %).
  • description (optional): A description of the metric.
  • static_attributes (optional): Key-value pairs to add as static attributes to all data points.

Different Collection Intervals

All custom searches run at the same collection_interval as the built-in metrics. If you need searches to run at different intervals, configure multiple receiver instances: 
receivers:
  # Fast searches - 1 minute interval
  splunkenterprise/fast:
    collection_interval: 1m
    cluster_master:
      auth:
        authenticator: basicauth/cm
      endpoint: "https://cm:8089"
    searches:
      - spl: "| tstats count where index=* by index"
        target: cluster_master
        metrics:
          - metric_name: splunk.custom.index_event_count
            value_column: count
            attribute_columns: [index]

  # Slow searches - 10 minute interval
  splunkenterprise/slow:
    collection_interval: 10m
    cluster_master:
      auth:
        authenticator: basicauth/cm
      endpoint: "https://cm:8089"
    searches:
      - spl: |
          search index=_internal sourcetype=splunkd
          | stats count by host, component
        target: cluster_master
        metrics:
          - metric_name: splunk.custom.component_events
            value_column: count
            attribute_columns: [host, component]

Custom Search Example

receivers:
  splunkenterprise:
    collection_interval: 10m
    cluster_master:
      auth:
        authenticator: basicauth/cm
      endpoint: "https://cm.example.com:8089"

    searches:
      # Regular search - time range auto-added from collection_interval
      - spl: "index=_internal | stats count by host"
        target: cluster_master
        metrics:
          - metric_name: splunk.custom.internal_events
            value_column: count
            attribute_columns: [host]
            value_type: int
            unit: "{events}"
            description: "Count of _internal events by host"

      # Custom time range - look back 1 hour
      - spl: "index=_audit | stats count by action"
        target: cluster_master
        earliest: "-1h"
        latest: "now"
        metrics:
          - metric_name: splunk.custom.audit_actions
            value_column: count
            attribute_columns: [action]
            value_type: int

      # tstats for fast indexed field searches - receiver injects earliest/latest automatically
      - spl: "| tstats count where index=* by index"
        target: cluster_master
        metrics:
          - metric_name: splunk.custom.index_event_count
            value_column: count
            attribute_columns: [index]
            value_type: int

      # REST API search - non-tstats generating commands (| rest, | makeresults, etc.) do NOT
      # receive automatic time injection; include time modifiers in the SPL if needed
      - spl: "| rest /services/server/info | fields serverName, numberOfCores"
      - spl: "| rest /services/server/info | fields serverName, numberOfCores"
        target: cluster_master
        metrics:
          - metric_name: splunk.custom.server_cores
            value_column: numberOfCores
            attribute_columns: [serverName]
            value_type: int
            static_attributes:
              search_source: "rest_api"
For a full list of settings exposed by this receiver please look in config.go with a detailed configuration in testdata/config.yaml.

Metrics

Metric NameDescriptionUnitTypeAttributes
splunk.aggregation.queue.ratioGauge tracking the average indexer aggregation queue ration (%). Note:* Search is best run against a Cluster Manager.{%}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.buckets.searchable.statusGauge tracking the number of buckets and their searchable status. Note:* Search is best run against a Cluster Manager.{count}Gaugesplunk.host, splunk.indexer.searchable, splunk.splunkd.build, splunk.splunkd.version
splunk.data.indexes.extended.bucket.countCount of buckets per index{buckets}Gaugesplunk.index.name, splunk.splunkd.build, splunk.splunkd.version
splunk.data.indexes.extended.bucket.event.countCount of events in this bucket super-directory. Note:* Must be pointed at specific indexer endpoint.{events}Gaugesplunk.index.name, splunk.bucket.dir, splunk.splunkd.build, splunk.splunkd.version
splunk.data.indexes.extended.bucket.hot.count(If size > 0) Number of hot buckets. Note:* Must be pointed at specific indexer endpoint.{buckets}Gaugesplunk.index.name, splunk.bucket.dir, splunk.splunkd.build, splunk.splunkd.version
splunk.data.indexes.extended.bucket.warm.count(If size > 0) Number of warm buckets. Note:* Must be pointed at specific indexer endpoint and gathers metrics from only that indexer.{buckets}Gaugesplunk.index.name, splunk.bucket.dir, splunk.splunkd.build, splunk.splunkd.version
splunk.data.indexes.extended.event.countCount of events for index, excluding frozen events. Approximately equal to the event_count sum of all buckets. Note:* Must be pointed at specific indexer endpoint and gathers metrics from only that indexer.{events}Gaugesplunk.index.name, splunk.splunkd.build, splunk.splunkd.version
splunk.data.indexes.extended.raw.sizeSize in bytes on disk of the <bucket>/rawdata/ directories of all buckets in this index, excluding frozen Note:* Must be pointed at specific indexer endpoint and gathers metrics from only that indexer.ByGaugesplunk.index.name, splunk.splunkd.build, splunk.splunkd.version
splunk.data.indexes.extended.total.sizeSize in bytes on disk of this index Note:* Must be pointed at specific indexer endpoint and gathers metrics from only that indexer.ByGaugesplunk.index.name, splunk.splunkd.build, splunk.splunkd.version
splunk.healthThe status (‘red’, ‘yellow’, or ‘green’) of the Splunk server. Health of ‘red’ produces a 0 while all other colors produce a 1.{status}Gaugesplunk.feature, splunk.feature.health, splunk.splunkd.build, splunk.splunkd.version
splunk.indexer.avg.rateGauge tracking the average rate of indexed data. Note: Search is best run against a Cluster Manager.KByGaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.indexer.cpu.timeGauge tracking the number of indexing process cpu seconds per instance{s}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.indexer.queue.ratioGauge tracking the average indexer index queue ration (%). Note:* Search is best run against a Cluster Manager.{%}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.indexer.raw.write.timeGauge tracking the number of raw write seconds per instance{s}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.indexer.rollingrestart.statusThe status of a rolling restart.{status}Gaugesplunk.searchable.restart, splunk.rollingorrestart, splunk.splunkd.build, splunk.splunkd.version
splunk.indexer.throughputGauge tracking average bytes per second throughput of indexer. Note:* Must be pointed at specific indexer endpoint and gathers metrics from only that indexer.By/sGaugesplunk.indexer.status, splunk.splunkd.build, splunk.splunkd.version
splunk.indexes.avg.sizeGauge tracking the indexes and their average size (gb). Note:* Search is best run against a Cluster Manager.GbGaugesplunk.index.name, splunk.splunkd.build, splunk.splunkd.version
splunk.indexes.avg.usageGauge tracking the indexes and their average usage (%). Note:* Search is best run against a Cluster Manager.{%}Gaugesplunk.index.name, splunk.splunkd.build, splunk.splunkd.version
splunk.indexes.bucket.countGauge tracking the indexes and their bucket counts. Note:* Search is best run against a Cluster Manager.{count}Gaugesplunk.index.name, splunk.splunkd.build, splunk.splunkd.version
splunk.indexes.median.data.ageGauge tracking the indexes and their median data age (days). Note:* Search is best run against a Cluster Manager.{days}Gaugesplunk.index.name, splunk.splunkd.build, splunk.splunkd.version
splunk.indexes.sizeGauge tracking the indexes and their total size (gb). Note:* Search is best run against a Cluster Manager.GbGaugesplunk.index.name, splunk.splunkd.build, splunk.splunkd.version
splunk.io.avg.iopsGauge tracking the average IOPs used per instance{iops}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.kvstore.backup.statusBackup and restore status of the KV store.{status}Gaugesplunk.kvstore.status.value, splunk.splunkd.build, splunk.splunkd.version
splunk.kvstore.replication.statusReplication status of the KV store.{status}Gaugesplunk.kvstore.status.value, splunk.splunkd.build, splunk.splunkd.version
splunk.kvstore.statusThis is the overall status of the kvstore for the given deployment.{status}Gaugesplunk.kvstore.storage.engine, splunk.kvstore.external, splunk.kvstore.status.value, splunk.splunkd.build, splunk.splunkd.version
splunk.license.expiration.seconds_remainingGauge tracking the seconds remaining on any given Splunk License found via Splunk API. Note: This will only work on a Cluster Manager.{seconds}Gaugesplunk.license.status, splunk.license.label, splunk.license.type, splunk.splunkd.build, splunk.splunkd.version
splunk.license.index.usageGauge tracking the indexed license usage per indexByGaugesplunk.index.name, splunk.splunkd.build, splunk.splunkd.version
splunk.parse.queue.ratioGauge tracking the average indexer parser queue ration (%). Note:* Search is best run against a Cluster Manager.{%}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.pipeline.set.countGauge tracking the number of pipeline sets per indexer. Note: Search is best run against a Cluster Manager.KByGaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.scheduler.avg.execution.latencyGauge tracking the average execution latency of scheduled searches{ms}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.scheduler.avg.run.timeGauge tracking the average runtime of scheduled searches{ms}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.scheduler.completion.ratioGauge tracking the ratio of completed to skipped scheduled searches{%}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.search.durationGauge tracking the duration in seconds of the last search probe call.{status}Gaugesplunk.splunkd.build, splunk.splunkd.version
splunk.search.initiationGauge tracking whether the last search probe successfully initiated a search.{status}Gaugesplunk.splunkd.build, splunk.splunkd.version
splunk.search.statusGauge tracking the dispatch status of the last search probe.{status}Gaugesplunk.search.state, splunk.splunkd.build, splunk.splunkd.version
splunk.search.successGauge tracking whether the last search probe call was successful with the dispatch state ‘DONE’.{status}Gaugesplunk.splunkd.build, splunk.splunkd.version
splunk.server.introspection.queues.currentGauge tracking current length of queue. Note:* Must be pointed at specific indexer endpoint and gathers metrics from only that indexer.{queues}Gaugesplunk.queue.name, splunk.splunkd.build, splunk.splunkd.version
splunk.server.introspection.queues.current.bytesGauge tracking current bytes waiting in queue. Note:* Must be pointed at specific indexer endpoint and gathers metrics from only that indexer.ByGaugesplunk.queue.name, splunk.splunkd.build, splunk.splunkd.version
splunk.server.searchartifacts.adhocGauge tracking number of ad hoc search artifacts currently on disk. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+.{search_artifacts}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.server.searchartifacts.adhoc.sizeGauge total size (MB) of ad hoc search artifacts currently on disk. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+.{search_artifacts}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.server.searchartifacts.completedGauge tracking number of artifacts currently on disk that belong to finished searches. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+.{search_artifacts}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.server.searchartifacts.completed.sizeGauge total size (MB) of artifacts currently on disk that belong to finished searches. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+.{search_artifacts}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.server.searchartifacts.incompleteGauge tracking number of artifacts currently on disk that belong to unfinished/running searches. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+.{search_artifacts}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.server.searchartifacts.incomplete.sizeGauge total size (MB) of artifacts currently on disk that belong to unfinished/running searches. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+.{search_artifacts}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.server.searchartifacts.invalidGauge tracking number of artifacts currently on disk that are not in a valid state, such as missing info.csv file, etc. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+.{search_artifacts}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.server.searchartifacts.job.cache.countGauge tracking number search artifacts metadata stored in memory, available in builds 9.1.2312.207+ and 9.3.x+.{search_artifacts}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.server.searchartifacts.job.cache.sizeGauge tracking, in megabytes, memory used to cache job status and job info of all search artifacts, available in builds 9.1.2312.207+ and 9.3.x+.{mb}Gaugesplunk.host, splunk.searchartifacts.cache.type, splunk.splunkd.build, splunk.splunkd.version
splunk.server.searchartifacts.savedsearchesGauge tracking, for the splunk.server.searchartifacts.scheduled number of scheduled search artifacts, how many different saved-searches they belong to. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+.{search_artifacts}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.server.searchartifacts.scheduledGauge tracking number of scheduled search artifacts currently on disk. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+.{search_artifacts}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.server.searchartifacts.scheduled.sizeGauge total size (MB) of scheduled search artifacts currently on disk. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+.{search_artifacts}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version
splunk.typing.queue.ratioGauge tracking the average indexer typing queue ration (%). Note:* Search is best run against a Cluster Manager.{%}Gaugesplunk.host, splunk.splunkd.build, splunk.splunkd.version

Attributes

Attribute NameDescriptionTypeValues
splunk.bucket.dirThe bucket super-directory (home, cold, thawed) for each indexstring
splunk.featureThe Feature name from the Splunk Health Introspection Endpointstring
splunk.feature.healthThe Health (in color form) of a Splunk Feature from the Splunk Health Introspection Endpointstring
splunk.hostThe name of the splunk hoststring
splunk.index.nameThe name of the index reporting a specific KPIstring
splunk.indexer.searchableThe searchability status reported for a specific objectstring
splunk.indexer.statusThe status message reported for a specific objectstring
splunk.kvstore.externalValue denoting if the KV store is using an external servicestring
splunk.kvstore.status.valueThe string value of the status returned when reporting on KV store using the introspection endpointstring
splunk.kvstore.storage.engineThe backend storage used by the KV storestring
splunk.license.labelThe label of the license.string
splunk.license.statusThe status of the license.string
splunk.license.typeThe type of license.string
splunk.queue.nameThe name of the queue reporting a specific KPIstring
splunk.rollingorrestartBoolean that indicates if there is a rolling restart or rolling upgrade in progress.bool
splunk.search.stateThe dispatch state of the searchstring
splunk.searchable.restartBoolean that indicates if a searchable rolling restart/upgrade in progress.tbool
splunk.searchartifacts.cache.typeThe search artifacts cache typestring
splunk.splunkd.buildThe build number for this Splunk instance versionstring
splunk.splunkd.versionThe splunkd version numberstring

Configuration

Example Configuration

# Example config for the Splunk Enterprise Receiver.
basicauth/search_head:
  client_auth:
    username: admin
    password: securityFirst
basicauth/indexer:
  client_auth:
    username: admin
    password: securityFirst1!

splunkenterprise:
  indexer:
    auth:
      authenticator: basicauth/indexer
    timeout: 10
  search_head:
    auth:
      authenticator: basicauth/search_head
  # Also optional: metric settings
  metrics:
    splunk.license.index.usage:
      enabled: true
    splunk.indexer.throughput:
      enabled: false
  # Custom SPL searches (optional)
  searches:
    # Regular search
    - spl: "index=_internal sourcetype=splunkd | stats count by host"
      target: search_head
      metrics:
        - metric_name: splunk.custom.event.count
          value_column: count
          attribute_columns:
            - host
          value_type: int
          unit: "{count}"
          description: "Custom event count by host"
    # Custom time range
    - spl: "index=_audit | stats count by action"
      target: search_head
      earliest: "-42m"
      latest: "now"
      metrics:
        - metric_name: splunk.custom.audit.count
          value_column: count
          attribute_columns:
            - action
          value_type: int
    # Generating command 
    - spl: "| tstats count where index=_* by index"
      target: indexer
      metrics:
        - metric_name: splunk.custom.index.count
          value_column: count
          attribute_columns:
            - index
          value_type: int
Last generated: 2026-04-13