Extracting data from Splunk Infrastructure Monitoring
All of the following statements are true in your organization:
- You have an operational dashboard that pulls data from multiple sources, including Splunk, to present a consolidated view of an environment. The tool you use for the operational dashboard has its own visualization capabilities, so all you need is the data to populate the visualizations.
- You want to make data that’s stored in Splunk Infrastructure Monitoring visible to users that don’t have logins to Splunk, such as executives or customers.
- You want to use the metrics in Splunk Infrastructure Monitoring to drive automated actions, such as remediating issues or performing preventative maintenance, and you prefer not to do this using Splunk detectors and their associated webhooks.
- You want to analyze the data stored in Splunk Infrastructure Monitoring using a desktop product, or some other tool that performs different types of analytics than the Splunk analytics engine.
To meet these needs, you want to extract past or streaming time series data that has been sent to Splunk Infrastructure Monitoring. You want to extract “raw” data (that is, the metrics and their values), as well as data that has been processed by Splunk analytics.
How to use Splunk software for this use case
Depending on your environment and requirements, you might find it try some or all of the following:
As described in the linked articles, both of these methods have advantages and disadvantages. If neither method is appropriate in your environment, you can also download data from the Splunk Infrastructure Monitoring user interface. While viewing the Data Table tab in a chart or detector in Splunk Infrastructure Monitoring, you can download a CSV file containing the data displayed in the table. Also, when viewing a chart, you can export the most recent 100 datapoints to a CSV file.
The advantages of this method are:
- This method is easy, as it doesn’t require any programming or use of an API.
- You can export data that has been filtered, that has a custom rollup or resolution, or that has been processed by Splunk analytics, if that is what is being displayed on the chart.
The disadvantages are:
- You can export data only when you are working in the Splunk Infrastructure Monitoring UI.
- When exporting the data table, you see data for only one point in time represented on the chart.
- When exporting the chart, you see only the most recent 100 datapoints being displayed on the chart.
- You can’t export streaming data.
The content in this article comes from a previously published blog, one of the thousands of Splunk resources available to help users succeed. In addition, these resources might help you understand and implement this guidance:
- GitHub: Splunk Infrastructure Monitoring Python Library
- GitHub: SignalFlow Command Line Client
- Splunk Docs: Analyze data using SignalFlow
- Splunk Developer Guide: retrieve timeserieswindow