Requires Terraform (minimum) v0.14
git clone https://github.com/kdroukman/splunk_poc_terraform.git
terraform init --upgrade
terraform workspace new my_workspace
Where my_workspace
is the name of your workspace
terraform plan -var="access_token=abc123" -var="realm=us1"
Where access_token
is the Splunk Access Token and realm
is either eu0
, us0
, us1
or us2
terraform apply -var="access_token=abc123" -var="realm=us1"
If you created a workspace you will first need to ensure you are in the correct workspace e.g.
terraform workspace select my_workspace
Where my_workspace
is the name of your workspace
terraform destroy -var="access_token=abc123" -var="realm=us1"
This script contains a number of different detectors. You can programmatically modify variables specific to each detector, or even change the filter to set up detectors for specific services and operations. For example
terraform apply -var="access_token=abc123" -var="realm=us1" -target=signalfx_detector.error_sudden_change -var="current_window='1m'" -var="historic_window='3h'" -var="fire_growth_percent=0.25" -var="min_requests=15"
The above will modify the sudden change alert for error rate growth to the respective settings.
See variables.tf
for default values and variables that can be set, and main.tf
to understand how these are used within the Detectors. You can set those inline, or create a .tfvars
file to manage your configuration.
You may also wish to create different Workspaces and different alerting conditions for different services.
This example script provides you with the name_prefix
variable which you can use to prefix your detector with respective service, platform or team name.
Notice that detectors use a filter() to select what to alert on. In these scripts the default filter is a catch-all one. Bellow are some examples of how you can modify it:
Filter on a specific environment and service
-var="filter=filter('sf_environment', 'my_environment') and filter('sf_service', 'my_demo_service') and filter('sf_operation','*')"
Filter on a specific environment and service, but exclude some endpoints
-var="filter=filter('sf_environment', 'my_environment') and filter('sf_service', 'my_demo_service') and not filter('sf_operation','*/healthz')"
The above examples use dimensions related to APM metrics such as spans.count
and spans.duration
. The are dimensionilized by
- sf_environment
- sf_service
- sf_operation
- sf_kind
- sf_error
- sf_httpMethod
And addtional dimensions on request.
Other metrics are dimensionalized differently - for exmaple JVM metrics use:
- service
- process_pid
- host.name
- deployment_environment
- etc
You can use the Metrics Finder to explore properties and dimensions associated with specific metrics.
Read more about Splunk Observability data model here
As you notice the program text within the resources is using Python-like syntax to create detectors. This is the program for SignalFlow analytics engine that runs computations at the heart of Splunk Observability metrics plaform.
In the UI you can view it as you create charts and detectors by clicking on the SignalFlow link, usually located in the top right corner of your editor. In Terraform scripts we use the base program text instead.
You can read more about Splunk Observability Terraform Provider here:
Main page: Splunk Terraform Provider
Detectors: Splunk Terraform Provider Detector resource, Splunk Detector Documentation
Note that the provider still references signalfx as this capability from acquired from SignalFx by Splunk