Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Index Master statistics different between Settings, Indexes and Setting, Index Clustering, Indexes

thormanrd
Path Finder
‎01-14-2020 07:21 AM

I have an index cluster with 24 indexers, and a set of custom indexes that I manage on the index master in $SPLUNK_HOME/etc/master-apps/_cluster/local. When I deploy the configuration bundle the indexes are configured on the indexers and reflected in Index Master Web UI just fine. However, the statistics between the Settings, Indexes and Setting, Index Clustering, Indexes web pages on the Index Master WebUI do not match. Bucket statistics seems reasonable on the Setting, Index Clustering, Indexes tab, but the Settings, Indexes pages continues to show 0 Events and no event dates for my custom indexes. Why?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thormanrd
Path Finder
‎01-14-2020 10:53 AM

Looks like the Settings, Indexes page has the statistics for the local file system(s) where indexed data is stored on that node. Since my index master is not an indexer, all the statistics are zero meaning there is no local bucket storage on that node. The Settings, Index Clustering, Indexes is the cluster wide metrics for all indexers cumulatively. I discovered this by browsing to all the indexers Settings, Indexes and found the metrics were different per node. All together they added up to Settings, Index Clustering, Indexes.

So, the Settings, Indexes is local. Settings, Index Clustering, Indexes is the sum of all index cluster members.

G2G

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

thormanrd
Path Finder
‎01-14-2020 10:53 AM

Looks like the Settings, Indexes page has the statistics for the local file system(s) where indexed data is stored on that node. Since my index master is not an indexer, all the statistics are zero meaning there is no local bucket storage on that node. The Settings, Index Clustering, Indexes is the cluster wide metrics for all indexers cumulatively. I discovered this by browsing to all the indexers Settings, Indexes and found the metrics were different per node. All together they added up to Settings, Index Clustering, Indexes.

So, the Settings, Indexes is local. Settings, Index Clustering, Indexes is the sum of all index cluster members.

G2G

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...