Dell EMC Isilon data is an instance of storage device data and contains data about the configuration, performance, and operational condition of the Isilon file system and the hardware. It also contains access pattern information that is suitable for audits. The data can be pulled from the Isilon system with REST calls to the API or can be pushed using syslog. In the Common Information Model, Dell EMC Isilon data can be mapped to any of the following data models, depending on the field: Inventory Performance, and Authentication models.
Isilon data provides performance information common to storage systems, such as operations per second, bytes written and read, etc. In addition, it provides cache efficiency information, such as hit rates, file system performance by operation, locking and blocked events. All of this information is useful for troubleshooting operational and performance related issues.
When your Splunk deployment is ingesting Dell EMC Isilon data, you can use the data to achieve the following objectives:
The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official Dell EMC resources.
If your deployment is not already ingesting storage device data, follow the Getting Data In guidance for Splunk Enterprise or the Onboarding and Forwarding Your Data guidance for Splunk Cloud.
The recommended index is isilon.
The source types are: sourcetype=emc:isilon:rest and sourcetype=emc:isilon:syslog.
The supported input types are modular input and syslog.
In addition, you will need the Dell EMC Isilon Add-on for Splunk Enterprise. The add-on can be downloaded here and the add-on documentation can be accessed here. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure Isilon, and configure Splunk.
The best way to estimate sizing is to send the data to Splunk and use the monitoring console to get ingest sizing by index or sourcetype. Data ingest will vary widely, but an estimated baseline is 500/MB per day per Isilon cluster.
The main app dashboard can take some time to populate the dashboards. After data collection is started, wait several minutes, then run this search:
| tstats values(sourcetype) WHERE index=isilon group by index
If your deployment is receiving all of the data you expect, you should see these sourcetypes: