Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Show Indexer Activity

brosselle
New Member
‎07-12-2016 07:34 AM

I'm wondering if there is a command line way to show search activity on the indexers. For example, I had a situation where there were no running jobs on the search head, yet my indexers were obviously running a search/task that was hammering the disks.

Is there a way to show that activity? I was thinking I could just connect to the web portal on the indexer and show running jobs, but I was hoping there was a command line way to it.

Tags (1)
0 Karma
Reply

javiergn
Super Champion
‎07-12-2016 09:45 AM

If you are running 6.2 or older you can probably find what you are looking for from the DMC:

Settings > Distributed Management Console > Indexing > Performance > Indexing Performance: Instance

0 Karma
Reply

brosselle
New Member
‎07-12-2016 10:31 AM

That does provide a lot of good info. I don't think it has what I'm looking for though. Here's what happened in my case:

User writes a very resource intensive query and launches it. When it they see it's going to take a REALLY long time, they change the query slightly and then launch that. Repeat that process a dozen times.

When I find out things are going sideways, I log into the search head and see the queries running and realize what's going on.

Here's the weird part...
Even when they all show complete (or killed) under activity, I still have massive disk i/o on the indexers that lasts for awhile longer.

So, what I really want to see is what's happening on the indexer during this time. The DMC will show me that it's getting hammered, but I don't think it will show me the hammer, and a way to potentially kill it, if that's even possible. I ended up restarting Splunk on the indexer to kill it.

0 Karma
Reply

javiergn
Super Champion
‎07-13-2016 02:21 AM

See if this helps in that case:

http://docs.splunk.com/Documentation/Splunk/6.4.2/Search/ManagejobsfromtheOS

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...