Implementing features and use cases in Splunk APM
There are a couple of high value features you will want to spend some time configuring and optimizing in order to get the most out of Splunk Application Performance Monitoring. Indexing Span tags set you up to make the most out of Tag Spotlight, and configuring Business Workflows allow for more seamless monitoring and troubleshooting of those critical flows throughout your distributed environments.
Indexing span tags
Drill down into service performance with span tags. Span tags provide additional context about operations that spans represent. Default span tags include things like the endpoint, operation, and HTTP method associated with a span. Using these tags, you can analyze requests, errors, and latency for spans that contain specific span tags. This context lets you understand service performance at a glance and helps you discover the root cause of issues faster.
Index span tags to analyze services in the following ways:
- Break down service performance by indexed tags in the Troubleshooting Service Map.
- View charts of service performance metrics by indexed span tags in Tag Spotlight.
- Track multiple traces for a specific activity with Business Workflows.
- ► Which span tags to index, and how to index span tags
-
Index only span tags you want to drill down into to gain insights about the performance of your infrastructure, or to address a specific incident. Some span tags provide a level of cardinality that just isn’t useful. For example, indexing
query_id
would generate MetricSets for every unique query, and in most cases there’s no reason for this level of cardinality. Also, avoid indexing span tags that represent ephemeral resources, such ascontainer_id
.Here are the span tags that APM automatically indexes.
Consider which span tags are worth creating MetricSets for. Here are some questions you can ask about your environment:
- Are there any attributes I look at when an incident occurs? If you’re running Kubernetes, you could index
k8s.pod.name
to view the performance of services by specific Kubernetes pods. - Do I run multiple versions or builds of code at the same time? You could index tags for
version
orbuild_id
to break down your infrastructure according to specific versions or builds of your applications. - Do I deploy services in multiple regions or fault domains? It could be useful to view metrics for services by specific
region
span tags to identify issues with resources in specific regions or zones.
There are two ways to add span tags - instrument your application to create span tags, or add span tags to spans when you send trace data to a Splunk OpenTelemetry Collector.
Instrument your application to create span tags
How you instrument code to create span tags depends on your code’s language. For more information about adding span tags at the instrumentation level, see resources for the language you are instrumenting:
Add span tags with an OpenTelemetry Collector
Include span tags in settings for the
batch
processor in your OpenTelemetry Collector configuration YAML file. You can create span tags withattributes/newenvironment
which adds span tags to any spans that don’t already have the tags, or withattributes/copyfromexistingkey
which overrides an existing span tag value. - Are there any attributes I look at when an incident occurs? If you’re running Kubernetes, you could index
Establishing business workflows
A business workflow is the start-to-finish journey of the collection of traces associated with a given activity or transaction. Each trace consists of multiple spans, and each span has identifying tags.
As a software engineer, site reliability engineer (SRE), or executive, you can use Business Workflows to monitor and troubleshoot end-to-end transactions in your system. In retail contexts, for example, an end-to-end transaction might encompass initial contact through order fulfillment, as captured by a trace.
You can create rules that correlate traces from a specific service or from multiple services that include the same global span tag. You must be an administrator to configure business workflow rules.
- ► How to configure business workflow rules
-
To configure a new rule from Splunk Application Performance Monitoring, follow these steps. There is a difference between enabling a rule and applying it. The enable/disable switch affects an individual rule by turning it on or off. After you modify one or more rules, you then use buttons that act on the entire rule set to save or discard those changes. Changes are not applied unless you save them.
Go to Organization Settings (Found at bottom of Nav Menu) > Business Workflow Configuration. Click New Rule. Select one of the following options from the Rule Type drop-down:- Global Tag. Define workflows based on the value of a global tag in spans associated with a trace. This correlates traces that contain spans with the global tag.
- Service. Define workflows based on traces that include a service you specify. When a trace matches the rule, you also see a specified tag value or endpoint associated with the trace for the service.
- Target Global Tag prompts you to select an indexed global tag. When you select a tag, the rule correlates all traces with the global tag. The rule name is based on the global tag you select.
- Target Service prompts you to select a service and specify the Source of Workflow Name, which is extra metadata to view about the workflow. You can select to correlate traces for a service by an endpoint for the initiating span or a span tag value
Read more about configuring business workflow rules here, as well as an example rule configuration. You can also alert on business workflows, a process which is covered in Managing alerts in Splunk APM.
Implementing use cases
Some high-value use cases you might want to work with are:
- Identify slow database queries using Database Query Performance
- Find performance issues using AlwaysOn Profiling
You can also review other troubleshooting and monitoring use cases here.