Deployment Architecture

How can I monitor the number of current artifacts (search jobs in dispatch) from Splunk internal logs in a search head clustering environment?

guilmxm
Influencer

Hi,

For troubleshooting and alerting purposes, I would like to be able to monitor the number of current active artifact objects in the dispatch directory of our search heads ($SPLUNK_HOME/var/run/splunk/dispatch) in a search head cluster deployment.

As Splunk warns when there more artifacts than the default limits. I guess it should be able to retrieve the number of artifacts in internal Splunk logs, _internal, _audit, _introspection or | rest command ?

Could not find the good search yet, is it possible?

Thank you in advance.

Guilhem

0 Karma
1 Solution

guilmxm
Influencer

Ended with a small sh script that reports the number of directories within the dispatcher of each search head and we're good 🙂

View solution in original post

0 Karma

guilmxm
Influencer

Ended with a small sh script that reports the number of directories within the dispatcher of each search head and we're good 🙂

0 Karma

leticiamartello
New Member

How can I find the current active artifact objects in the dispatch directory by user?

0 Karma

emechler_splunk
Splunk Employee
Splunk Employee

I think this search leveraging 'rest' should do what you want - there are number of ways to further differentiate between running / completed jobs, etc. if you need to break that out.

| rest /services/search/jobs | stats count
0 Karma

guilmxm
Influencer

After having checked in deployment architecture, i indeed get the number of artifacts on the search head the search were executed.

In your knowledge, is there a way to target all of our search heads with the | rest command ?

0 Karma

lguinn2
Legend

Have you considered using the Distributed Management Console on a search head (must be outside the SHC) and making it the "search head of search heads"?

0 Karma

guilmxm
Influencer

Hi,

Yes it is already the case.

We are monitoring our distributed deployment (4x cluster indexer, 4x sh cluster, deployment, Heavy and Universal forwarders) from the DMC which is deployed in the master node.

The DMC has access to every peer, can i get the number of artifacts from the introspection data ?

Currently we are facing a 6.2.6 bug that prevents the captain from cleaning correctly artifacts (SPL official case opened, fix expected 18th november), this reveals to us the importance of monitoring artifacts of sh nodes, and i would prefer doing from Splunk directly more that writing an sh script to count the number of objects in dispatch directories of sh nodes... 🙂

0 Karma

cjonestsi
Engager
0 Karma

guilmxm
Influencer

Hi,

Yes, that's correct, and interesting.
We've opened a case, and support gave us that information about the upcoming fix (in 6.2.8)
Migrating to 6.3.x would be nice, but we're not yet ready to.

Thanks for your comment

0 Karma

guilmxm
Influencer

Hi,

Thank you for your answer.
I've checked on a standalone instance, and indeed it reports the number of current artefacts in dispatcher.

I will check how this works in sh cluster, and if i can get the result for each search head with the rest command.
And will revert

Guilhem

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...