Getting Data In

splunk_server

halbeisendv
Path Finder

I frequently envoke on my search head against a indexer cluster with 10 members:

index= | dedup splunk_server | table splunk_server

If my search is less than 10, it's usually an indicator of a indexer problem. Today, I happened to envoke my command, saw that the indexer count was only 9. When I ran a follow-on search of index=_internal host= there was a gap/stoppage in the data.

After searching around looking for a gap in the data (any indexed data), a crash, a restart, a stop and a start, I am unable to find corroborating evidence that splunk was ever down, if in fact it ever was. The whole/gap in the data is gone. I was not able to hop on the VM with my unix credentials to look around.

Any words of wisdom on why the initial search "index= | dedup splunk_server | table splunk_server" was missing an indexer. Is there merit in this search and/or is this some other quick method to see what's happening. Due to constraints of my access, I only had the search head to work with -- other components of my environment are not available as a remote user. Thank you.

0 Karma
1 Solution

halbeisendv
Path Finder

Your response was very useful. Thank you.

View solution in original post

0 Karma

halbeisendv
Path Finder

][1]
I did accept your answer.

0 Karma

halbeisendv
Path Finder

Your response was very useful. Thank you.

0 Karma

codebuilder
SplunkTrust
SplunkTrust

Try one of these instead:

| tstats count where index=* by splunk_server, _time

| tstats count where index=_internal by splunk_server, _time

Or build upon them to get the data you are looking for.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

codebuilder
SplunkTrust
SplunkTrust

Glad to hear that solved it for you. If it did, please "accept" my answer.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...