For troubleshooting and alerting purposes, I would like to be able to monitor the number of current active artifact objects in the dispatch directory of our search heads ($SPLUNK_HOME/var/run/splunk/dispatch) in a search head cluster deployment.
As Splunk warns when there more artifacts than the default limits. I guess it should be able to retrieve the number of artifacts in internal Splunk logs, _internal, _audit, _introspection or
| rest command ?
Could not find the good search yet, is it possible?
Thank you in advance.
I think this search leveraging 'rest' should do what you want - there are number of ways to further differentiate between running / completed jobs, etc. if you need to break that out.
| rest /services/search/jobs | stats count
After having checked in deployment architecture, i indeed get the number of artifacts on the search head the search were executed.
In your knowledge, is there a way to target all of our search heads with the | rest command ?
Yes it is already the case.
We are monitoring our distributed deployment (4x cluster indexer, 4x sh cluster, deployment, Heavy and Universal forwarders) from the DMC which is deployed in the master node.
The DMC has access to every peer, can i get the number of artifacts from the introspection data ?
Currently we are facing a 6.2.6 bug that prevents the captain from cleaning correctly artifacts (SPL official case opened, fix expected 18th november), this reveals to us the importance of monitoring artifacts of sh nodes, and i would prefer doing from Splunk directly more that writing an sh script to count the number of objects in dispatch directories of sh nodes... 🙂
Yes, that's correct, and interesting.
We've opened a case, and support gave us that information about the upcoming fix (in 6.2.8)
Migrating to 6.3.x would be nice, but we're not yet ready to.
Thanks for your comment
Thank you for your answer.
I've checked on a standalone instance, and indeed it reports the number of current artefacts in dispatcher.
I will check how this works in sh cluster, and if i can get the result for each search head with the rest command.
And will revert