Skip to main content


Splunk Lantern

Dell: EMC Isilon


Dell EMC Isilon data is an instance of storage device data and contains data about the configuration, performance, and operational condition of the Isilon file system and the hardware. It also contains access pattern information that is suitable for audits. The data can be pulled from the Isilon system with REST calls to the API or can be pushed using syslog.

Isilon data provides performance information common to storage systems, such as operations per second, bytes written and read, etc. In addition, it provides cache efficiency information, such as hit rates, file system performance by operation, locking and blocked events. All of this information is useful for troubleshooting operational and performance related issues. In the Common Information Model, Dell EMC Isilon data  can be mapped to any of the following data models, depending on the field: Inventory Performance, and Authentication models. 


Guidance for onboarding data can be found in the Spunk Documentation: 

Refer to the documentation, and note the following:

  • Recommended index: isilon
  • Source type: emc:isilon:rest and emc:isilon:syslog
  • Input type: Modular input and syslog
  • Add-on or app: Dell EMC Isilon Add-on for Splunk Enterprise
  • Sizing estimate: The best way to estimate sizing is to send the data to Splunk and use the monitoring console to get ingest sizing by index or sourcetype. Data ingest will vary widely, but an estimated baseline is 500/MB per day per Isilon cluster.  


The main app dashboard can take some time to populate the dashboards. After data collection is started, wait several minutes, then run this search:

| tstats values(sourcetype) WHERE index=isilon group by index

If your deployment is receiving all of the data you expect, you should see these sourcetypes: 

  • emc:isilon:rest
  • emc:isilon:syslog


When your Splunk deployment is ingesting Dell EMC Isilon data, you can use the data to achieve the following: