How to find whether the indexer is receving data or not using a specific command in search head??
An easy check would be:
index=_internal | stats count by splunk_server
This will give you a list of indexer that are indexing data and also are giving results back to the search
Below searches might help you -
Which IP addresses are connecting to Splunk as inputs and how many times is it logged in metrics.log?
index=internal source=metrics.log tcpinconnections | stats count by sourceIp
What is my hourly thruput by index/source/host? (select timerange of 24 hours or similar)
index=internal source=metrics.log perindexthruput | eval mb=(kb/1024) | timechart span=1h sum(mb) by series | addtotals
index=internal source=metrics.log persourcethruput | eval mb=(kb/1024) | timechart span=1h sum(mb) by series | addtotals
index=internal source=metrics.log perhost_thruput | eval mb=(kb/1024) | timechart span=1h sum(mb) by series | addtotals
What hosts have NOT sent data in the past day, but HAVE sent data within the last 7 days
| metadata type=hosts | eval seven_days_ago=now()-604800 | eval one_day_ago=now()-86400 | where recentTime > seven_days_ago | where recentTime < one_day_ago | search host!=*hostname | convert ctime(recentTime) as recent_event | eval _time=recentTime | fields host
run a search on the search head . in that search you specify that indexer you want to know if it is working.
from results check host , source and sourcetype default fields you can know if your indexer is working or not .
note: you can refer you on the metadata like hosts , source and sourcetype fields which indique you where data comme in.
sorry for my english.