All Apps and Add-ons

With Splunk 6, Do I Need Fire Brigade TA?

David
Splunk Employee
Splunk Employee

I love Fire Brigade for the visibility it provides me on my data. However, I'm wondering whether I still need to install the TA on all of my indexers, with the distributed dbinspect functionality in Splunk 6. Can anyone help?

Tags (1)
1 Solution

sowings
Splunk Employee
Splunk Employee

In small environments, the dbinspect command (read: TA-fire_brigade) run from the search head is probably OK. This means you'd only install it (and the main app together) on the search head. However, in larger environments, you'll end up triggering the subsearch limit (in the map command) of 10,000 rows and possibly end up with partial data for the dbinspect info.

So, more than about 4-5 indexers, go with TA-fire_brigade on each indexer.

In the latter case, you may want to run the "Update monitored list from REST" search string on the search head once to populate the file "monitored_indexes.csv", just to satisfy one panel on the cumulative overview ("Quick Overview") dashboard.

View solution in original post

ppablo
Retired

FYI, Fire Brigade version 2 will no longer be updated (latest version is 2.0.3). The newer versions 2.0.4 and higher will now be available with the original “Fire Brigade” app on Splunkbase which was just updated to support Splunk 6.3. This is noted on the page for Fire Brigade on Splunkbase:
https://splunkbase.splunk.com/app/1581/

If you have any questions, ping the developer of the app @sowings

Cheers!

0 Karma

sowings
Splunk Employee
Splunk Employee

In small environments, the dbinspect command (read: TA-fire_brigade) run from the search head is probably OK. This means you'd only install it (and the main app together) on the search head. However, in larger environments, you'll end up triggering the subsearch limit (in the map command) of 10,000 rows and possibly end up with partial data for the dbinspect info.

So, more than about 4-5 indexers, go with TA-fire_brigade on each indexer.

In the latter case, you may want to run the "Update monitored list from REST" search string on the search head once to populate the file "monitored_indexes.csv", just to satisfy one panel on the cumulative overview ("Quick Overview") dashboard.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...