Splunkenterprise Receiver

Available in: contrib Maintainers: @shalper2, @MovieStoreGuy, @greatestusername Source: opentelemetry-collector-contrib

Supported Telemetry

Overview

Configuration

By default the Splunk Enterprise receiver is not configured to gather any metrics other than splunk.health The following settings are required, omitting them will either cause your receiver to fail to compile or result in 4/5xx return codes during scraping. NOTE: These must be set for each Splunk instance type (indexer, search head, or cluster master) from which you wish to pull metrics. At present, only one of each type is accepted, per configured receiver instance. This means, for example, that if you have three different “indexer” type instances that you would like to pull metrics from you will need to configure three different splunkenterprise receivers for each indexer node you wish to monitor.

basicauth (from basicauthextension): A configured stanza for the basicauthextension.
auth (no default): String name referencing your auth extension.
endpoint (no default): your Splunk Enterprise host’s endpoint.

The following settings are optional:

collection_interval (default: 10m): The time between scrape attempts.
timeout (default: 60s): The time the scrape function will wait for a response before returning empty.
build_version_info (default: false): Elect to run an additional scrape which will retrieve build and version info for the configured endpoints and attach this as attributes to the selected metrics. A value of false will report an empty string as the attribute value but will speed up the receiver slightly.

Basic Example:

extensions:
    basicauth/indexer:
        client_auth:
            username: admin
            password: securityFirst
    basicauth/cluster_master:
        client_auth:
            username: admin
            password: securityFirst

receivers:
    splunkenterprise:
        indexer:
            auth: 
              authenticator: basicauth/indexer
            endpoint: "https://localhost:8089"
            timeout: 45s
        cluster_master:
            auth: 
              authenticator: basicauth/cluster_master
            endpoint: "https://localhost:8089"
            timeout: 45s

exporters:
  debug:
    verbosity: basic

service:
  extensions: [basicauth/indexer, basicauth/cluster_master]
  pipelines:
    metrics:
      receivers: [splunkenterprise]
      exporters: [debug]

Individual Cluster Config Example (with specific metrics enabled/disabled):

extensions:
  basicauth/indexer:
    client_auth:
      username: admin_user
      password: XXXXXXXXX
  basicauth/cluster_master:
    client_auth:
      username: admin_user
      password: XXXXXXXXX
  basicauth/search_head:
    client_auth:
      username: admin_user
      password: XXXXXXXXX
  basicauth/monitoring_console:
    client_auth:
      username: admin_user
      password: XXXXXXXXX

receivers:
  splunkenterprise/indexer:
    indexer:
      auth:
        authenticator: basicauth/indexer
      endpoint: "https://ip.ip.ip.ip:8089"
      tls:
        insecure_skip_verify: true
    metrics:
      splunk.indexer.throughput:
        enabled: true
      splunk.data.indexes.extended.total.size:
        enabled: true
      splunk.data.indexes.extended.event.count:
        enabled: true
      splunk.data.indexes.extended.raw.size:
        enabled: true
      splunk.data.indexes.extended.bucket.event.count:
        enabled: true
      splunk.data.indexes.extended.bucket.count:
        enabled: true
      splunk.data.indexes.extended.bucket.hot.count:
        enabled: true
      splunk.data.indexes.extended.bucket.warm.count:
        enabled: true
      splunk.server.introspection.queues.current:
        enabled: true
      splunk.server.introspection.queues.current.bytes:
        enabled: true
      splunk.health:
        enabled: false
      

  splunkenterprise/cluster_master:
    cluster_master:
      auth:
        authenticator: basicauth/cluster_master
      endpoint: "https://ip.ip.ip.ip:8089"
      tls:
        insecure_skip_verify: true
    metrics:
      splunk.parse.queue.ratio:  
        enabled: true
      splunk.indexer.avg.rate:
        enabled: true
      splunk.pipeline.set.count:
        enabled: true
      splunk.aggregation.queue.ratio:
        enabled: true
      splunk.typing.queue.ratio:
        enabled: true
      splunk.indexer.queue.ratio:
        enabled: true
      splunk.indexes.bucket.count:
        enabled: true
      splunk.indexes.size:
        enabled: true
      splunk.indexer.raw.write.time:  
        enabled: true
      splunk.indexer.cpu.time:
        enabled: true
      splunk.indexes.avg.size:
        enabled: true
      splunk.indexes.avg.usage:
        enabled: true
      splunk.indexes.median.data.age: 
        enabled: true
      splunk.scheduler.avg.execution.latency:
        enabled: true
      splunk.scheduler.completion.ratio:
        enabled: true
      splunk.scheduler.avg.run.time:
        enabled: true
      splunk.buckets.searchable.status:
        enabled: true
      splunk.health:
        enabled: true


  splunkenterprise/monitoring_console:
    cluster_master:
      auth:
        authenticator: basicauth/monitoring_console
      endpoint: "https://ip.ip.ip.ip:8089"
      tls:
        insecure_skip_verify: true
    metrics:
      splunk.parse.queue.ratio:  
        enabled: true
      splunk.indexer.avg.rate:
        enabled: true
      splunk.pipeline.set.count:
        enabled: true
      splunk.aggregation.queue.ratio:
        enabled: true
      splunk.typing.queue.ratio:
        enabled: true
      splunk.indexer.queue.ratio:
        enabled: true
      splunk.indexes.bucket.count:
        enabled: true
      splunk.indexes.size:
        enabled: true
      splunk.indexer.raw.write.time:  
        enabled: true
      splunk.indexer.cpu.time:
        enabled: true
      splunk.indexes.avg.size:
        enabled: true
      splunk.indexes.avg.usage:
        enabled: true
      splunk.indexes.median.data.age: 
        enabled: true
      splunk.scheduler.avg.execution.latency:
        enabled: true
      splunk.scheduler.completion.ratio:
        enabled: true
      splunk.scheduler.avg.run.time:
        enabled: true
      splunk.buckets.searchable.status:
        enabled: true
      splunk.health:
        enabled: true

  splunkenterprise/search_head:
    search_head:
      auth:
        authenticator: basicauth/search_head
      endpoint: "https://ip.ip.ip.ip:8089"
      tls:
        insecure_skip_verify: true
    metrics:
      splunk.server.searchartifacts.adhoc:
        enabled: true
      splunk.server.searchartifacts.scheduled:
        enabled: true
      splunk.server.searchartifacts.completed:
        enabled: true
      splunk.server.searchartifacts.incomplete:
        enabled: true
      splunk.server.searchartifacts.invalid:
        enabled: true
      splunk.server.searchartifacts.savedsearches:
        enabled: true
      splunk.server.searchartifacts.job.cache.size:
        enabled: true
      splunk.server.searchartifacts.job.cache.count:
        enabled: true
      splunk.server.searchartifacts.adhoc.size:
        enabled: true
      splunk.server.searchartifacts.scheduled.size:
        enabled: true
      splunk.server.searchartifacts.completed.size:
        enabled: true
      splunk.server.searchartifacts.incomplete.size:
        enabled: true
      splunk.search.duration:
        enabled: true
      splunk.search.initiation:
        enabled: true
      splunk.search.status:
        enabled: true
      splunk.search.success:
        enabled: true
      splunk.kvstore.status:
        enabled: true
      splunk.kvstore.replication.status:
        enabled: true
      splunk.kvstore.backup.status:
        enabled: true
      splunk.health:
        enabled: false

service:
  extensions: [basicauth/indexer, basicauth/cluster_master, basicauth/monitoring_console, basicauth/search_head]
  pipelines:
    metrics:
      receivers: [splunkenterprise/indexer, splunkenterprise/cluster_master, splunkenterprise/monitoring_console, splunkenterprise/search_head]
      exporters: [otlp_grpc]

Custom SPL Searches

The receiver supports running arbitrary SPL searches against configured Splunk endpoints. This allows you to create custom metrics from any data available in your Splunk deployment. WARNING: Custom searches execute ad-hoc searches on your Splunk deployment. Be mindful of the performance impact, especially with complex searches or short collection intervals.

Search Configuration

Each custom search requires:

spl (required): The SPL search string. Can be provided as a single line or multi-line YAML block.
target (required): The endpoint type to run the search against. Must be one of: indexer, search_head, or cluster_master.
earliest (optional): The earliest time for the search. Defaults to -{collection_interval} (e.g., -10m if collection_interval is 10m). Ignored if SPL already contains earliest=.
latest (optional): The latest time for the search. Defaults to now. Ignored if SPL already contains latest=.
metrics (required): A list of metric definitions that map search result columns to OTel metrics.

Note on time ranges:

For regular searches (like index=_internal | stats count), the receiver automatically adds earliest and latest time modifiers.
For generating commands that start with | (other than | tstats), no time range is added since these commands handle time differently.
- Receiver will correctly add a time range to searches that begin with | tstats

Each metric definition supports:

metric_name (required): The name of the metric to emit (e.g., splunk.custom.event_count).
value_column (required): The column name from the SPL results that contains the metric value.
attribute_columns (optional): List of column names to include as metric attributes.
value_type (optional): Either int (default) or double.
unit (optional): The unit of measurement (e.g., {count}, By, %).
description (optional): A description of the metric.
static_attributes (optional): Key-value pairs to add as static attributes to all data points.

Different Collection Intervals

All custom searches run at the same collection_interval as the built-in metrics. If you need searches to run at different intervals, configure multiple receiver instances:

receivers:
  # Fast searches - 1 minute interval
  splunkenterprise/fast:
    collection_interval: 1m
    cluster_master:
      auth:
        authenticator: basicauth/cm
      endpoint: "https://cm:8089"
    searches:
      - spl: "| tstats count where index=* by index"
        target: cluster_master
        metrics:
          - metric_name: splunk.custom.index_event_count
            value_column: count
            attribute_columns: [index]

  # Slow searches - 10 minute interval
  splunkenterprise/slow:
    collection_interval: 10m
    cluster_master:
      auth:
        authenticator: basicauth/cm
      endpoint: "https://cm:8089"
    searches:
      - spl: |
          search index=_internal sourcetype=splunkd
          | stats count by host, component
        target: cluster_master
        metrics:
          - metric_name: splunk.custom.component_events
            value_column: count
            attribute_columns: [host, component]

Custom Search Example

receivers:
  splunkenterprise:
    collection_interval: 10m
    cluster_master:
      auth:
        authenticator: basicauth/cm
      endpoint: "https://cm.example.com:8089"

    searches:
      # Regular search - time range auto-added from collection_interval
      - spl: "index=_internal | stats count by host"
        target: cluster_master
        metrics:
          - metric_name: splunk.custom.internal_events
            value_column: count
            attribute_columns: [host]
            value_type: int
            unit: "{events}"
            description: "Count of _internal events by host"

      # Custom time range - look back 1 hour
      - spl: "index=_audit | stats count by action"
        target: cluster_master
        earliest: "-1h"
        latest: "now"
        metrics:
          - metric_name: splunk.custom.audit_actions
            value_column: count
            attribute_columns: [action]
            value_type: int

      # tstats for fast indexed field searches - receiver injects earliest/latest automatically
      - spl: "| tstats count where index=* by index"
        target: cluster_master
        metrics:
          - metric_name: splunk.custom.index_event_count
            value_column: count
            attribute_columns: [index]
            value_type: int

      # REST API search - non-tstats generating commands (| rest, | makeresults, etc.) do NOT
      # receive automatic time injection; include time modifiers in the SPL if needed
      - spl: "| rest /services/server/info | fields serverName, numberOfCores"
      - spl: "| rest /services/server/info | fields serverName, numberOfCores"
        target: cluster_master
        metrics:
          - metric_name: splunk.custom.server_cores
            value_column: numberOfCores
            attribute_columns: [serverName]
            value_type: int
            static_attributes:
              search_source: "rest_api"

For a full list of settings exposed by this receiver please look in config.go with a detailed configuration in testdata/config.yaml.

Metrics

Metric Name	Description	Unit	Type	Attributes
❌ `splunk.aggregation.queue.ratio`	Gauge tracking the average indexer aggregation queue ration (%). Note:* Search is best run against a Cluster Manager.	{%}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.buckets.searchable.status`	Gauge tracking the number of buckets and their searchable status. Note:* Search is best run against a Cluster Manager.	{count}	Gauge	splunk.host, splunk.indexer.searchable, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.data.indexes.extended.bucket.count`	Count of buckets per index	{buckets}	Gauge	splunk.index.name, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.data.indexes.extended.bucket.event.count`	Count of events in this bucket super-directory. Note:* Must be pointed at specific indexer `endpoint`.	{events}	Gauge	splunk.index.name, splunk.bucket.dir, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.data.indexes.extended.bucket.hot.count`	(If size > 0) Number of hot buckets. Note:* Must be pointed at specific indexer `endpoint`.	{buckets}	Gauge	splunk.index.name, splunk.bucket.dir, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.data.indexes.extended.bucket.warm.count`	(If size > 0) Number of warm buckets. Note:* Must be pointed at specific indexer `endpoint` and gathers metrics from only that indexer.	{buckets}	Gauge	splunk.index.name, splunk.bucket.dir, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.data.indexes.extended.event.count`	Count of events for index, excluding frozen events. Approximately equal to the event_count sum of all buckets. Note:* Must be pointed at specific indexer `endpoint` and gathers metrics from only that indexer.	{events}	Gauge	splunk.index.name, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.data.indexes.extended.raw.size`	Size in bytes on disk of the `<bucket>`/rawdata/ directories of all buckets in this index, excluding frozen Note:* Must be pointed at specific indexer `endpoint` and gathers metrics from only that indexer.	By	Gauge	splunk.index.name, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.data.indexes.extended.total.size`	Size in bytes on disk of this index Note:* Must be pointed at specific indexer `endpoint` and gathers metrics from only that indexer.	By	Gauge	splunk.index.name, splunk.splunkd.build, splunk.splunkd.version
✅ `splunk.health`	The status (‘red’, ‘yellow’, or ‘green’) of the Splunk server. Health of ‘red’ produces a 0 while all other colors produce a 1.	{status}	Gauge	splunk.feature, splunk.feature.health, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.indexer.avg.rate`	Gauge tracking the average rate of indexed data. Note: Search is best run against a Cluster Manager.	KBy	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.indexer.cpu.time`	Gauge tracking the number of indexing process cpu seconds per instance	{s}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.indexer.queue.ratio`	Gauge tracking the average indexer index queue ration (%). Note:* Search is best run against a Cluster Manager.	{%}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.indexer.raw.write.time`	Gauge tracking the number of raw write seconds per instance	{s}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.indexer.rollingrestart.status`	The status of a rolling restart.	{status}	Gauge	splunk.searchable.restart, splunk.rollingorrestart, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.indexer.throughput`	Gauge tracking average bytes per second throughput of indexer. Note:* Must be pointed at specific indexer `endpoint` and gathers metrics from only that indexer.	By/s	Gauge	splunk.indexer.status, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.indexes.avg.size`	Gauge tracking the indexes and their average size (gb). Note:* Search is best run against a Cluster Manager.	Gb	Gauge	splunk.index.name, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.indexes.avg.usage`	Gauge tracking the indexes and their average usage (%). Note:* Search is best run against a Cluster Manager.	{%}	Gauge	splunk.index.name, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.indexes.bucket.count`	Gauge tracking the indexes and their bucket counts. Note:* Search is best run against a Cluster Manager.	{count}	Gauge	splunk.index.name, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.indexes.median.data.age`	Gauge tracking the indexes and their median data age (days). Note:* Search is best run against a Cluster Manager.	{days}	Gauge	splunk.index.name, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.indexes.size`	Gauge tracking the indexes and their total size (gb). Note:* Search is best run against a Cluster Manager.	Gb	Gauge	splunk.index.name, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.io.avg.iops`	Gauge tracking the average IOPs used per instance	{iops}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.kvstore.backup.status`	Backup and restore status of the KV store.	{status}	Gauge	splunk.kvstore.status.value, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.kvstore.replication.status`	Replication status of the KV store.	{status}	Gauge	splunk.kvstore.status.value, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.kvstore.status`	This is the overall status of the kvstore for the given deployment.	{status}	Gauge	splunk.kvstore.storage.engine, splunk.kvstore.external, splunk.kvstore.status.value, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.license.expiration.seconds_remaining`	Gauge tracking the seconds remaining on any given Splunk License found via Splunk API. Note: This will only work on a Cluster Manager.	{seconds}	Gauge	splunk.license.status, splunk.license.label, splunk.license.type, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.license.index.usage`	Gauge tracking the indexed license usage per index	By	Gauge	splunk.index.name, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.parse.queue.ratio`	Gauge tracking the average indexer parser queue ration (%). Note:* Search is best run against a Cluster Manager.	{%}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.pipeline.set.count`	Gauge tracking the number of pipeline sets per indexer. Note: Search is best run against a Cluster Manager.	KBy	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.scheduler.avg.execution.latency`	Gauge tracking the average execution latency of scheduled searches	{ms}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.scheduler.avg.run.time`	Gauge tracking the average runtime of scheduled searches	{ms}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.scheduler.completion.ratio`	Gauge tracking the ratio of completed to skipped scheduled searches	{%}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.search.duration`	Gauge tracking the duration in seconds of the last search probe call.	{status}	Gauge	splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.search.initiation`	Gauge tracking whether the last search probe successfully initiated a search.	{status}	Gauge	splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.search.status`	Gauge tracking the dispatch status of the last search probe.	{status}	Gauge	splunk.search.state, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.search.success`	Gauge tracking whether the last search probe call was successful with the dispatch state ‘DONE’.	{status}	Gauge	splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.server.introspection.queues.current`	Gauge tracking current length of queue. Note:* Must be pointed at specific indexer `endpoint` and gathers metrics from only that indexer.	{queues}	Gauge	splunk.queue.name, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.server.introspection.queues.current.bytes`	Gauge tracking current bytes waiting in queue. Note:* Must be pointed at specific indexer `endpoint` and gathers metrics from only that indexer.	By	Gauge	splunk.queue.name, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.server.searchartifacts.adhoc`	Gauge tracking number of ad hoc search artifacts currently on disk. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+.	{search_artifacts}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.server.searchartifacts.adhoc.size`	Gauge total size (MB) of ad hoc search artifacts currently on disk. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+.	{search_artifacts}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.server.searchartifacts.completed`	Gauge tracking number of artifacts currently on disk that belong to finished searches. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+.	{search_artifacts}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.server.searchartifacts.completed.size`	Gauge total size (MB) of artifacts currently on disk that belong to finished searches. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+.	{search_artifacts}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.server.searchartifacts.incomplete`	Gauge tracking number of artifacts currently on disk that belong to unfinished/running searches. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+.	{search_artifacts}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.server.searchartifacts.incomplete.size`	Gauge total size (MB) of artifacts currently on disk that belong to unfinished/running searches. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+.	{search_artifacts}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.server.searchartifacts.invalid`	Gauge tracking number of artifacts currently on disk that are not in a valid state, such as missing info.csv file, etc. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+.	{search_artifacts}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.server.searchartifacts.job.cache.count`	Gauge tracking number search artifacts metadata stored in memory, available in builds 9.1.2312.207+ and 9.3.x+.	{search_artifacts}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.server.searchartifacts.job.cache.size`	Gauge tracking, in megabytes, memory used to cache job status and job info of all search artifacts, available in builds 9.1.2312.207+ and 9.3.x+.	{mb}	Gauge	splunk.host, splunk.searchartifacts.cache.type, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.server.searchartifacts.savedsearches`	Gauge tracking, for the `splunk.server.searchartifacts.scheduled` number of scheduled search artifacts, how many different saved-searches they belong to. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+.	{search_artifacts}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.server.searchartifacts.scheduled`	Gauge tracking number of scheduled search artifacts currently on disk. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+.	{search_artifacts}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.server.searchartifacts.scheduled.size`	Gauge total size (MB) of scheduled search artifacts currently on disk. Note:* Must be pointed at specific Search Head endpoint and gathers metrics from only that Search Head. Available in builds 9.1.2312.207+ and 9.3.x+.	{search_artifacts}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version
❌ `splunk.typing.queue.ratio`	Gauge tracking the average indexer typing queue ration (%). Note:* Search is best run against a Cluster Manager.	{%}	Gauge	splunk.host, splunk.splunkd.build, splunk.splunkd.version

Attributes

Attribute Name	Description	Type
`splunk.bucket.dir`	The bucket super-directory (home, cold, thawed) for each index	string
`splunk.feature`	The Feature name from the Splunk Health Introspection Endpoint	string
`splunk.feature.health`	The Health (in color form) of a Splunk Feature from the Splunk Health Introspection Endpoint	string
`splunk.host`	The name of the splunk host	string
`splunk.index.name`	The name of the index reporting a specific KPI	string
`splunk.indexer.searchable`	The searchability status reported for a specific object	string
`splunk.indexer.status`	The status message reported for a specific object	string
`splunk.kvstore.external`	Value denoting if the KV store is using an external service	string
`splunk.kvstore.status.value`	The string value of the status returned when reporting on KV store using the introspection endpoint	string
`splunk.kvstore.storage.engine`	The backend storage used by the KV store	string
`splunk.license.label`	The label of the license.	string
`splunk.license.status`	The status of the license.	string
`splunk.license.type`	The type of license.	string
`splunk.queue.name`	The name of the queue reporting a specific KPI	string
`splunk.rollingorrestart`	Boolean that indicates if there is a rolling restart or rolling upgrade in progress.	bool
`splunk.search.state`	The dispatch state of the search	string
`splunk.searchable.restart`	Boolean that indicates if a searchable rolling restart/upgrade in progress.t	bool
`splunk.searchartifacts.cache.type`	The search artifacts cache type	string
`splunk.splunkd.build`	The build number for this Splunk instance version	string
`splunk.splunkd.version`	The splunkd version number	string

Configuration

Example Configuration

# Example config for the Splunk Enterprise Receiver.
basicauth/search_head:
  client_auth:
    username: admin
    password: securityFirst
basicauth/indexer:
  client_auth:
    username: admin
    password: securityFirst1!

splunkenterprise:
  indexer:
    auth:
      authenticator: basicauth/indexer
    timeout: 10
  search_head:
    auth:
      authenticator: basicauth/search_head
  # Also optional: metric settings
  metrics:
    splunk.license.index.usage:
      enabled: true
    splunk.indexer.throughput:
      enabled: false
  # Custom SPL searches (optional)
  searches:
    # Regular search
    - spl: "index=_internal sourcetype=splunkd | stats count by host"
      target: search_head
      metrics:
        - metric_name: splunk.custom.event.count
          value_column: count
          attribute_columns:
            - host
          value_type: int
          unit: "{count}"
          description: "Custom event count by host"
    # Custom time range
    - spl: "index=_audit | stats count by action"
      target: search_head
      earliest: "-42m"
      latest: "now"
      metrics:
        - metric_name: splunk.custom.audit.count
          value_column: count
          attribute_columns:
            - action
          value_type: int
    # Generating command 
    - spl: "| tstats count where index=_* by index"
      target: indexer
      metrics:
        - metric_name: splunk.custom.index.count
          value_column: count
          attribute_columns:
            - index
          value_type: int

Last generated: 2026-04-20

Documentation Index

​Splunkenterprise Receiver

​Supported Telemetry

​Overview

​Configuration

​Basic Example:

​Individual Cluster Config Example (with specific metrics enabled/disabled):

​Custom SPL Searches

​Search Configuration

​Different Collection Intervals

​Custom Search Example

​Metrics

​Attributes

​Configuration

​Example Configuration

Splunkenterprise Receiver

Supported Telemetry

Overview

Configuration

Basic Example:

Individual Cluster Config Example (with specific metrics enabled/disabled):

Custom SPL Searches

Search Configuration

Different Collection Intervals

Custom Search Example

Metrics

Attributes

Configuration

Example Configuration