Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to monitor and index actively?

hochit
Path Finder
‎11-02-2010 02:28 AM

Hi,

I have problem with my Splunk indexing. I found an index haven't been running and updated for 2 days. But it has no any sign for me until I searched and found out. I still can't identify it's Splunk or system problem.

Other indexes are working well, the license index volume is not exceeded.

So what can I do to monitor the health of an index actively? Also, what kind of debug log that I should turn on or look into?

Please advice!

Thanks, Philip

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎11-02-2010 04:26 AM

Additionally, inside Splunk some index health checks are available in the Search app under the menu Status -> Index Activity.

You could also enable an alert for a saved search with which you verify indexing health.

something like:

index=_internal group=per_index_thruput source=*metrics.log NOT series=_* |
eval last_seen=now()-_time | stats max(last_seen) as seconds_since_seen by series |
rename series as index

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎11-02-2010 04:26 AM

Additionally, inside Splunk some index health checks are available in the Search app under the menu Status -> Index Activity.

You could also enable an alert for a saved search with which you verify indexing health.

something like:

index=_internal group=per_index_thruput source=*metrics.log NOT series=_* |
eval last_seen=now()-_time | stats max(last_seen) as seconds_since_seen by series |
rename series as index
0 Karma
Reply
Solved! Jump to solution

Pawlub1
Engager
‎01-08-2024 03:41 PM

Hi, 

I would like to use it as an alert, but a bit confused the trigger

index=_internal group=per_index_thruput source=*metrics.log NOT series=_* | eval last_seen=now()-_time | stats max(last_seen) as seconds_since_seen by series | rename series as index | where seconds_since_seen < 120

Specifically, a value for the 'seconds_since_seen', if most indices are about the 800 second range, I am not sure if a low value like 120 seconds going to cause false positives.

Any suggestions for a proper value to monitor indices would be greatly appreciated.

Cheers, Paul

 

0 Karma
Reply
Solved! Jump to solution

hochit
Path Finder
‎11-03-2010 06:31 AM

Thanks bwooden! The search is what I wanted!

The outcome is I can see there's no "index=_internal group=per_index_thruput..." for an index, and I don't have idea why.

Anyway, it's great preventive procedure for me.

0 Karma
Reply
Solved! Jump to solution

tedder
Communicator
‎11-02-2010 02:37 AM

I have very active indexes, so I just go to manager->indexes and look at the most recent time.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...