From de6b45a838799f7c57154bd50f11436318767a6b Mon Sep 17 00:00:00 2001 From: Olga Malita <86965961+omrozowicz-splunk@users.noreply.github.com> Date: Tue, 20 Sep 2022 15:17:21 +0200 Subject: [PATCH] doc: add documentation about rollover issue (#570) * doc: add documentation about rollover issue * doc: fix typos, storage addon * doc: fix metallb section and add completed inventory pod --- docs/bestpractices.md | 22 ++++++++++++++++++++- docs/gettingstarted/mk8s/k8s-microk8s.md | 8 ++++---- docs/gettingstarted/sc4snmp-installation.md | 1 + docs/gettingstarted/splunk-requirements.md | 8 ++++---- 4 files changed, 30 insertions(+), 9 deletions(-) diff --git a/docs/bestpractices.md b/docs/bestpractices.md index 28af7825b..d64e5e631 100644 --- a/docs/bestpractices.md +++ b/docs/bestpractices.md @@ -71,4 +71,24 @@ worker: walkRetryMaxInterval: 60 ``` -With the configuration from the above, walk will retry exponentially until it reaches 60 seconds. \ No newline at end of file +With the configuration from the above, walk will retry exponentially until it reaches 60 seconds. + +### SNMP Rollover +The Rollover problem is that the integer value that they store (especially when they are 32-bit) is finite, +and when it’s reaching the maximum, it gets rolled down to 0 again which causes a strange drop in Analytics data. +The most common case of this issue is interface speed on a high speed ports. As a solution to this problem, SNMPv2 SMI defined a new object type, counter64, for 64-bit counters ([read more about it](https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/26007-faq-snmpcounter.html)). +Not all the devices support it, but if they are - remember to always poll counter64 type OID instead of counter32 one. +For example, use `ifHCInOctets` instead of `ifInOctets`. + +If 64-bit counter are not supported on your device, you can write own splunk queries that calculate the shift based on +maximum integer value + current state. The same works for values big enough that they're not fitting 64-bit value. +An example for a SPLUNK query like that (inteface counter), would be: + +``` +| streamstats current=f last(ifInOctets) as p_ifInOctets last(ifOutOctets) as p_ifOutOctets by ifAlias +| eval in_delta=(ifInOctets - p_ifInOctets) +| eval out_delta=(ifOutOctets - p_ifOutOctets) +| eval max=pow(2,64) +| eval out = if(out_delta<0,((max+out_delta)*8/(5*60*1000*1000*1000)),(out_delta)*8/(5*60*1000*1000*1000)) +| timechart span=5m avg(in) AS in, avg(out) AS out by ifAlias +``` \ No newline at end of file diff --git a/docs/gettingstarted/mk8s/k8s-microk8s.md b/docs/gettingstarted/mk8s/k8s-microk8s.md index f287c1f1e..f04874f8d 100644 --- a/docs/gettingstarted/mk8s/k8s-microk8s.md +++ b/docs/gettingstarted/mk8s/k8s-microk8s.md @@ -53,7 +53,7 @@ The following commands can be issued from any one node in a cluster ```bash sudo systemctl enable iscsid microk8s enable helm3 -microk8s enable storage +microk8s enable hostpath-storage microk8s enable rbac microk8s enable metrics-server microk8s status --wait-ready @@ -69,9 +69,9 @@ microk8s status --wait-ready ## Install Metallb -Note: when installing metallb you will be prompted for one or more IPs to use as entry points -Into the cluster. If your plan to enable clustering, this IP should not be assigned to the host (floats) -If you do not plan to cluster, then this IP may be the same IP as the host +Note: when installing Metallb you will be prompted for one or more IPs to use as entry points +into the cluster. If your plan to enable clustering, this IP should not be assigned to the host (floats). +If you do not plan to cluster, then this IP should be the IP of your host. Note2: a single IP in cidr format is x.x.x.x/32 use CIDR or range syntax for single server installations this can be the same as the primary ip. diff --git a/docs/gettingstarted/sc4snmp-installation.md b/docs/gettingstarted/sc4snmp-installation.md index b925c7411..960f9b19e 100644 --- a/docs/gettingstarted/sc4snmp-installation.md +++ b/docs/gettingstarted/sc4snmp-installation.md @@ -176,6 +176,7 @@ snmp-mibserver-7f879c5b7c-hz9tz 1/1 Running snmp-mongodb-869cc8586f-vvr9f 2/2 Running 0 133m snmp-redis-master-0 1/1 Running 0 133m snmp-splunk-connect-for-snmp-trap-78759bfc8b-79m6d 1/1 Running 0 99m +snmp-splunk-connect-for-snmp-inventory-mjccw 0/1 Completed 0 6s ``` ### Test SNMP Traps diff --git a/docs/gettingstarted/splunk-requirements.md b/docs/gettingstarted/splunk-requirements.md index 2797cf9a9..e2f10b691 100644 --- a/docs/gettingstarted/splunk-requirements.md +++ b/docs/gettingstarted/splunk-requirements.md @@ -18,11 +18,11 @@ reference it in `values.yaml` file later on. Parameters and the instruction on how to do it is here: [SC4SNMP Parameters](sc4snmp-installation.md#configure-splunk-enterprise-or-splunk-cloud-connection) -3. Create or obtain a new Splunk HTTP Event Collector token and the correct HTTPS endpoint. -4. Verify the token using [curl](https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/FormateventsforHTTPEventCollector) Note: The endpoint must use a publicly trusted certificate authority. +2. Create or obtain a new Splunk HTTP Event Collector token and the correct HTTPS endpoint. +3. Verify the token using [curl](https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/FormateventsforHTTPEventCollector) Note: The endpoint must use a publicly trusted certificate authority. -5. The SHARED IP address to be used for SNMP Traps. Note Simple and POC deployments will use the same IP as the host server. If HA deployment will be used, the IP must be in addition to the management interface of each cluster member. -6. Obtain the IP address of an internal DNS server that can resolve the Splunk Endpoint. +4. The SHARED IP address to be used for SNMP Traps. Note Simple and POC deployments will use the same IP as the host server. If HA deployment will be used, the IP must be in addition to the management interface of each cluster member. +5. Obtain the IP address of an internal DNS server that can resolve the Splunk Endpoint. ### Requirements (Splunk Infrastructure Monitoring)