Archive

How to get Indexer utilization of last 24 hrs.

New Member

Hi Guys,

I am trying to get the utilization of all the indexer for last 24 hrs. I am trying to enter below string but it is giving me the data of the total capacity of the indexers, not only last 24hrs.

| eventcount summarize=false report_size=true index="*" timechart span=1d sum(GB) | eval size_MB=size_bytes/(1024*1024) | eval size_GB=size_MB/1024 | where size_GB > 5 | sort -size_GB | head 10

I have tried below string from the Splunk refereces but it doesn't work for me.

index=_internal todaysbytesindexed startdaysago=30 | eval GB_Indexed = todaysBytesIndexed/1024/1024/1024 | timechart span=1d avg(GB_Indexed

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) | timechart span=1d sum(GB) | convert ctime(_time) as timestamp

Can somebody correct me or answer me to help on this?

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

Hi Steave4app,
You could use the search that you can find in the License usage dashboard:

index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d   | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | eval slave_guid=slave | stats max(b) AS volume by slave_guid, _time | join type=outer slave_guid [rest splunk_server=local /services/licenser/slaves | rename label AS slave_name title AS slave_guid | table slave_guid slave_name] | eval slave_name = if(isnotnull(slave_name),slave_name,"GUID: ".slave_guid) | timechart span=1d max(volume) AS "volume" by slave_name fixedrange=false | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "dimensione dello stack" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

that gives the total volume of indexed logs for each Indexer.

Bye.
Giuseppe

0 Karma

New Member

Hi Cusello,

Sir, I have checked but it did not work for me. Kindly see below error while running this query.

[subsearch]: Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/licenser/slaves?count=0 from server=https://127.0.0.1:8089

Can you help me to get guidance on my query?

Kind Regards,

0 Karma

SplunkTrust
SplunkTrust

hi Steave4app
try this:
index=_internal [set_local_host] source=license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | eval slave_guid=slave | stats max(b) AS volume by slave_guid, _time | eval slave_name = if(isnotnull(slave_name),slave_name,"GUID: ".slave_guid) | timechart span=1d max(volume) AS "volume" by slave_name fixedrange=false | fields - _timediff | foreach * [eval <>=round('<>'/1024/1024/1024, 3)]

Bye.
Giuseppe

0 Karma

Legend

Have you looked at Distributed Monitoring Console which is available with Splunk Enterprise instance and looks at several Splunk performance aspects inclusing Indexers and indexing like:
1) search head and indexer clustering
2) index and volume usage
3) indexing performance

https://docs.splunk.com/Documentation/Splunk/latest/DMC/DMCoverview

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

New Member

Hi Niket,

Thanks for the response. We have not Splunk enterprise app. With having some limited resource at this moment, I am searching by this query.

0 Karma

Legend

Can you see if you have access to Splunk's _internal index?

index=_internal sourcetype=splunkd source="*metrics.log" group=per_Index_thruput | timechart sum(kb) by series

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!