Archive
Highlighted

how to find that indexer is working by using command in search head??

Path Finder

How to find whether the indexer is receving data or not using a specific command in search head??

Tags (1)
0 Karma
Highlighted

Re: how to find that indexer is working by using command in search head??

Motivator

An easy check would be:

index=_internal | stats count by splunk_server

This will give you a list of indexer that are indexing data and also are giving results back to the search

Regards

0 Karma
Highlighted

Re: how to find that indexer is working by using command in search head??

Builder

Below searches might help you -

  • Which IP addresses are connecting to Splunk as inputs and how many times is it logged in metrics.log?

    index=internal source=metrics.log tcpinconnections | stats count by sourceIp

  • What is my hourly thruput by index/source/host? (select timerange of 24 hours or similar)

    index=internal source=metrics.log perindexthruput | eval mb=(kb/1024) | timechart span=1h sum(mb) by series | addtotals
    index=
    internal source=metrics.log persourcethruput | eval mb=(kb/1024) | timechart span=1h sum(mb) by series | addtotals
    index=internal source=metrics.log perhost_thruput | eval mb=(kb/1024) | timechart span=1h sum(mb) by series | addtotals

What hosts have NOT sent data in the past day, but HAVE sent data within the last 7 days

| metadata type=hosts | eval seven_days_ago=now()-604800 | eval one_day_ago=now()-86400 | where recentTime > seven_days_ago | where recentTime < one_day_ago | search host!=*hostname | convert ctime(recentTime) as recent_event | eval _time=recentTime | fields host
0 Karma
Highlighted

Re: how to find that indexer is working by using command in search head??

Motivator

run a search on the search head . in that search you specify that indexer you want to know if it is working.
from results check host , source and sourcetype default fields you can know if your indexer is working or not .
note: you can refer you on the metadata like hosts , source and sourcetype fields which indique you where data comme in.

sorry for my english.