Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Panel that shows search factor and replication factor status of our Splunk deployment?

Arpit_S
Path Finder
‎11-03-2017 10:30 AM

Hi,

Search factor and replication factor are not MET in our splunk deployment. I want to create a dashboard panel to be able to see the Search Factor and Replication Factor. It can also be an alert.

I got the below answer:

https://answers.splunk.com/answers/329356/how-to-create-and-trigger-an-alert-when-replicatio.html

But while running the provided search I am getting below error:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at '\"\", \"icon-check\", \"icon-alert\")'.

Is there any way to create a query for this ?

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-03-2017 11:08 AM

Do you have Splunk's monitoring console (DMC) enabled in some node? If yes, There are Indexer cluster dashboards available in monitoring console which you can use. You can also take the query from that dashboard and create your alert.

If not, you can use following query to create your panel. Please note this will work on cluster master node. If you want this on your search heads, add your cluster master node as search peer to your search heads.

 | rest  /services/cluster/master/generation/master       
| fields pending_last_reason, search_factor_met, replication_factor_met 
| eval all_data_searchable = if (isnull(pending_last_reason) or pending_last_reason=="", "All Data is Searchable", "Some Data is Not Searchable")
| eval search_factor_met = if (search_factor_met == 1 or search_factor_met == "1", "Search Factor is Met", "Search Factor is Not Met")
| eval replication_factor_met = if (replication_factor_met == 1 or replication_factor_met == "1", "Replication Factor is Met", "Replication Factor is Not Met")"

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-03-2017 11:08 AM

Do you have Splunk's monitoring console (DMC) enabled in some node? If yes, There are Indexer cluster dashboards available in monitoring console which you can use. You can also take the query from that dashboard and create your alert.

If not, you can use following query to create your panel. Please note this will work on cluster master node. If you want this on your search heads, add your cluster master node as search peer to your search heads.

 | rest  /services/cluster/master/generation/master       
| fields pending_last_reason, search_factor_met, replication_factor_met 
| eval all_data_searchable = if (isnull(pending_last_reason) or pending_last_reason=="", "All Data is Searchable", "Some Data is Not Searchable")
| eval search_factor_met = if (search_factor_met == 1 or search_factor_met == "1", "Search Factor is Met", "Search Factor is Not Met")
| eval replication_factor_met = if (replication_factor_met == 1 or replication_factor_met == "1", "Replication Factor is Met", "Replication Factor is Not Met")"
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...