how to generate a report on availability of splunk services like indexing ,.
we have a requirement to submit the availability report of splunk for the past 6 months .
how to do that ? is it correct way to check the availability of splunk using the status of indexing?
Kindly explain
It is only possible if you've logged these things with some tool or Splunk app that has measured availability in a way that meets your organization's definition of availability.
Perhaps you can look at the average time period between _internal or introspection log entries and see if some time period is beyond that by some number of standard deviations. However, this is not a guarantee of whether Splunk was available
based on your organization's definition during the time periods where there are logs entries without indications of errors that may mean Splunk is not operating correctly, nor does it guarantee that Splunk was not available
based on your organization's definition during any time periods that fall outside those number of standard deviations of silence/lack of logs.
Therefore, if you haven't gathered metrics to show operational efficacy of any service, including Splunk, it is extremely difficult, or simply impossible, to provide any availability reporting that would withstand any level of auditing or close scrutiny. I wouldn't bet an SLA on it without having a sound metrics gathering and reporting methodology in place from the start.
is it possible
The first step is defining what it means to be "available". The status of just the indexer(s) is probably not sufficient. Depending on how you use Splunk, being available could mean splunkweb is running or only splunkd. The calculation becomes more complex if you're in a multi-host environment. Also, even if Splunk is running it may not be considered "available" if users can't get to it so you have to factor in the network.
Do you have any apps like Splunk on Splunk (S.O.S.), *Nix (or Windows) to monitor the system running Splunk, or any other mechanism to monitor your systems running Splunk?
What are the specific requirements to measure availability in your environment?