Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk_server

halbeisendv
Path Finder
‎12-13-2019 12:10 PM

I frequently envoke on my search head against a indexer cluster with 10 members:

index= | dedup splunk_server | table splunk_server

If my search is less than 10, it's usually an indicator of a indexer problem. Today, I happened to envoke my command, saw that the indexer count was only 9. When I ran a follow-on search of index=_internal host= there was a gap/stoppage in the data.

After searching around looking for a gap in the data (any indexed data), a crash, a restart, a stop and a start, I am unable to find corroborating evidence that splunk was ever down, if in fact it ever was. The whole/gap in the data is gone. I was not able to hop on the VM with my unix credentials to look around.

Any words of wisdom on why the initial search "index= | dedup splunk_server | table splunk_server" was missing an indexer. Is there merit in this search and/or is this some other quick method to see what's happening. Due to constraints of my access, I only had the search head to work with -- other components of my environment are not available as a remote user. Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

halbeisendv
Path Finder
‎12-15-2019 12:15 PM

Your response was very useful. Thank you.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

halbeisendv
Path Finder
‎12-16-2019 03:23 AM

][1]
I did accept your answer.

Preview file
29 KB
0 Karma
Reply
Solved! Jump to solution
Solution

halbeisendv
Path Finder
‎12-15-2019 12:15 PM

Your response was very useful. Thank you.

0 Karma
Reply
Solved! Jump to solution

codebuilder
Influencer
‎12-13-2019 01:20 PM

Try one of these instead:

| tstats count where index=* by splunk_server, _time

| tstats count where index=_internal by splunk_server, _time

Or build upon them to get the data you are looking for.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Solved! Jump to solution

codebuilder
Influencer
‎12-15-2019 02:05 PM

Glad to hear that solved it for you. If it did, please "accept" my answer.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...