Deployment Architecture

How can I monitor the number of current artifacts (search jobs in dispatch) from Splunk internal logs in a search head clustering environment?

guilmxm
SplunkTrust
SplunkTrust

Hi,

For troubleshooting and alerting purposes, I would like to be able to monitor the number of current active artifact objects in the dispatch directory of our search heads ($SPLUNK_HOME/var/run/splunk/dispatch) in a search head cluster deployment.

As Splunk warns when there more artifacts than the default limits. I guess it should be able to retrieve the number of artifacts in internal Splunk logs, _internal, _audit, _introspection or | rest command ?

Could not find the good search yet, is it possible?

Thank you in advance.

Guilhem

0 Karma
1 Solution

guilmxm
SplunkTrust
SplunkTrust

Ended with a small sh script that reports the number of directories within the dispatcher of each search head and we're good 🙂

View solution in original post

0 Karma

guilmxm
SplunkTrust
SplunkTrust

Ended with a small sh script that reports the number of directories within the dispatcher of each search head and we're good 🙂

0 Karma

leticiamartello
New Member

How can I find the current active artifact objects in the dispatch directory by user?

0 Karma

emechler_splunk
Splunk Employee
Splunk Employee

I think this search leveraging 'rest' should do what you want - there are number of ways to further differentiate between running / completed jobs, etc. if you need to break that out.

| rest /services/search/jobs | stats count
0 Karma

guilmxm
SplunkTrust
SplunkTrust

After having checked in deployment architecture, i indeed get the number of artifacts on the search head the search were executed.

In your knowledge, is there a way to target all of our search heads with the | rest command ?

0 Karma

lguinn2
Legend

Have you considered using the Distributed Management Console on a search head (must be outside the SHC) and making it the "search head of search heads"?

0 Karma

guilmxm
SplunkTrust
SplunkTrust

Hi,

Yes it is already the case.

We are monitoring our distributed deployment (4x cluster indexer, 4x sh cluster, deployment, Heavy and Universal forwarders) from the DMC which is deployed in the master node.

The DMC has access to every peer, can i get the number of artifacts from the introspection data ?

Currently we are facing a 6.2.6 bug that prevents the captain from cleaning correctly artifacts (SPL official case opened, fix expected 18th november), this reveals to us the importance of monitoring artifacts of sh nodes, and i would prefer doing from Splunk directly more that writing an sh script to count the number of objects in dispatch directories of sh nodes... 🙂

0 Karma

cjonestsi
Engager
0 Karma

guilmxm
SplunkTrust
SplunkTrust

Hi,

Yes, that's correct, and interesting.
We've opened a case, and support gave us that information about the upcoming fix (in 6.2.8)
Migrating to 6.3.x would be nice, but we're not yet ready to.

Thanks for your comment

0 Karma

guilmxm
SplunkTrust
SplunkTrust

Hi,

Thank you for your answer.
I've checked on a standalone instance, and indeed it reports the number of current artefacts in dispatcher.

I will check how this works in sh cluster, and if i can get the result for each search head with the rest command.
And will revert

Guilhem

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...