How to find out if splunk is indexing data?

irakeshraut · ‎02-09-2015

Hey guys,

I am new to splunk, started using it since yesterday. How can i find out if splunkd is indexing or not? Is it possible to find this information on terminal / web ?

I checked that my splunk is running by typing sudo service splunk status. But now I need to find out if its indexing or not.

Final Target: I want to send alert to scoutapp if splunkd is not indexing.

Thanks in advance.

kserra_splunk · ‎02-10-2015

To quickly check if splunk is indexing you can run the following search command from the search app in splunk web

index=*

This will show all data recently indexed by splunk. This includes internal splunk data as well so make sure that the data you want to monitor is present.

To setup alerts you will need to determine what data you want to alert on, then you can create a custom search/alert to alert if data stops coming in, below are a few previous splunk answers post which detail how to do this

http://answers.splunk.com/answers/9860/email-alert-when-a-data-source-dont-sends-events-to-splunk.ht...

http://answers.splunk.com/answers/3181/how-do-i-alert-when-a-host-stops-sending-data.html

https://answers.splunk.com/answers/37439/license-usage-monitoring-issue.html

irakeshraut · ‎02-11-2015

Can I search index=* using api ? I need to search for indexes tat happened in last 5 minutes only. How to do this using API?

How to find out if splunk is indexing data?

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Splunk and Fraud

Build Your First SPL2 App!