Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk_server

halbeisendv
Path Finder
‎12-13-2019 12:10 PM

I frequently envoke on my search head against a indexer cluster with 10 members:

index= | dedup splunk_server | table splunk_server

If my search is less than 10, it's usually an indicator of a indexer problem. Today, I happened to envoke my command, saw that the indexer count was only 9. When I ran a follow-on search of index=_internal host= there was a gap/stoppage in the data.

After searching around looking for a gap in the data (any indexed data), a crash, a restart, a stop and a start, I am unable to find corroborating evidence that splunk was ever down, if in fact it ever was. The whole/gap in the data is gone. I was not able to hop on the VM with my unix credentials to look around.

Any words of wisdom on why the initial search "index= | dedup splunk_server | table splunk_server" was missing an indexer. Is there merit in this search and/or is this some other quick method to see what's happening. Due to constraints of my access, I only had the search head to work with -- other components of my environment are not available as a remote user. Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

halbeisendv
Path Finder
‎12-15-2019 12:15 PM

Your response was very useful. Thank you.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

halbeisendv
Path Finder
‎12-16-2019 03:23 AM

][1]
I did accept your answer.

Preview file
29 KB
0 Karma
Reply
Solved! Jump to solution
Solution

halbeisendv
Path Finder
‎12-15-2019 12:15 PM

Your response was very useful. Thank you.

0 Karma
Reply
Solved! Jump to solution

codebuilder
Influencer
‎12-13-2019 01:20 PM

Try one of these instead:

| tstats count where index=* by splunk_server, _time

| tstats count where index=_internal by splunk_server, _time

Or build upon them to get the data you are looking for.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Solved! Jump to solution

codebuilder
Influencer
‎12-15-2019 02:05 PM

Glad to hear that solved it for you. If it did, please "accept" my answer.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...