Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search to return cluster ingest rate (KB/s)

nnesje
Loves-to-Learn Lots
‎11-04-2022 10:03 AM

I'm looking for a search I can run that will return the ingest rate (KB/s) across the entire cluster.  I know there's a "Deployment-Wide Total Indexing Rate" panel in the DMC dashboard "Indexing Performance: Deployment" that contains this data but I need to recreate this on the cluster itself to push to a summary index for retention and quick export. 

Also, if there's a similar search that will return events/s, I'm looking for that as well.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-04-2022 11:09 AM

When you click on the magnifying glass icon in the lower-right corner of a MC dashboard panel the panel will open in a Search window where you can modify the query as desired and then save it in your dashboard or report.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

nnesje
Loves-to-Learn Lots
‎11-04-2022 11:41 AM

Understood, but saving those dashboard panels as a separate report in the DMC doesn't help me. I need to re-create those searches NOT in the DMC, which is a stand-alone searchhead and not part of the shcluster. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-04-2022 11:43 AM

Once you have the search open you can copy it anywhere you need it.  It doesn't have to stay on the MC.  You will, however, need to expand the DMC macros used by the search.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

nnesje
Loves-to-Learn Lots
‎11-04-2022 11:57 AM

Can you go into more detail on "expanding the macros" for the DMC-based searches?  As I understand it, the DMC is running jobs that collect data from the cluster and store it on the DMC, then the dashboards call that data via the searches/macros.  When I try to copy/run a search that's part of a dashboard in the DMC on a non-DMC searchhead that's part of the cluster, I'm not seeing anything since the DMC data is not searchable from the SH cluster.  I'm happy to hear if I'm wrong or if there's another way to access DMC data from the main cluster.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...