Deployment Architecture

How can I monitor the number of current artifacts (search jobs in dispatch) from Splunk internal logs in a search head clustering environment?

SplunkTrust
SplunkTrust

Hi,

For troubleshooting and alerting purposes, I would like to be able to monitor the number of current active artifact objects in the dispatch directory of our search heads ($SPLUNK_HOME/var/run/splunk/dispatch) in a search head cluster deployment.

As Splunk warns when there more artifacts than the default limits. I guess it should be able to retrieve the number of artifacts in internal Splunk logs, _internal, _audit, _introspection or | rest command ?

Could not find the good search yet, is it possible?

Thank you in advance.

Guilhem

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Ended with a small sh script that reports the number of directories within the dispatcher of each search head and we're good 🙂

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Ended with a small sh script that reports the number of directories within the dispatcher of each search head and we're good 🙂

View solution in original post

0 Karma

New Member

How can I find the current active artifact objects in the dispatch directory by user?

0 Karma

Splunk Employee
Splunk Employee

I think this search leveraging 'rest' should do what you want - there are number of ways to further differentiate between running / completed jobs, etc. if you need to break that out.

| rest /services/search/jobs | stats count
0 Karma

SplunkTrust
SplunkTrust

After having checked in deployment architecture, i indeed get the number of artifacts on the search head the search were executed.

In your knowledge, is there a way to target all of our search heads with the | rest command ?

0 Karma

Legend

Have you considered using the Distributed Management Console on a search head (must be outside the SHC) and making it the "search head of search heads"?

0 Karma

SplunkTrust
SplunkTrust

Hi,

Yes it is already the case.

We are monitoring our distributed deployment (4x cluster indexer, 4x sh cluster, deployment, Heavy and Universal forwarders) from the DMC which is deployed in the master node.

The DMC has access to every peer, can i get the number of artifacts from the introspection data ?

Currently we are facing a 6.2.6 bug that prevents the captain from cleaning correctly artifacts (SPL official case opened, fix expected 18th november), this reveals to us the importance of monitoring artifacts of sh nodes, and i would prefer doing from Splunk directly more that writing an sh script to count the number of objects in dispatch directories of sh nodes... 🙂

0 Karma

Engager
0 Karma

SplunkTrust
SplunkTrust

Hi,

Yes, that's correct, and interesting.
We've opened a case, and support gave us that information about the upcoming fix (in 6.2.8)
Migrating to 6.3.x would be nice, but we're not yet ready to.

Thanks for your comment

0 Karma

SplunkTrust
SplunkTrust

Hi,

Thank you for your answer.
I've checked on a standalone instance, and indeed it reports the number of current artefacts in dispatcher.

I will check how this works in sh cluster, and if i can get the result for each search head with the rest command.
And will revert

Guilhem

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!