Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search to return cluster ingest rate (KB/s)

nnesje
Loves-to-Learn Lots
‎11-04-2022 10:03 AM

I'm looking for a search I can run that will return the ingest rate (KB/s) across the entire cluster.  I know there's a "Deployment-Wide Total Indexing Rate" panel in the DMC dashboard "Indexing Performance: Deployment" that contains this data but I need to recreate this on the cluster itself to push to a summary index for retention and quick export. 

Also, if there's a similar search that will return events/s, I'm looking for that as well.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-04-2022 11:09 AM

When you click on the magnifying glass icon in the lower-right corner of a MC dashboard panel the panel will open in a Search window where you can modify the query as desired and then save it in your dashboard or report.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

nnesje
Loves-to-Learn Lots
‎11-04-2022 11:41 AM

Understood, but saving those dashboard panels as a separate report in the DMC doesn't help me. I need to re-create those searches NOT in the DMC, which is a stand-alone searchhead and not part of the shcluster. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-04-2022 11:43 AM

Once you have the search open you can copy it anywhere you need it.  It doesn't have to stay on the MC.  You will, however, need to expand the DMC macros used by the search.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

nnesje
Loves-to-Learn Lots
‎11-04-2022 11:57 AM

Can you go into more detail on "expanding the macros" for the DMC-based searches?  As I understand it, the DMC is running jobs that collect data from the cluster and store it on the DMC, then the dashboards call that data via the searches/macros.  When I try to copy/run a search that's part of a dashboard in the DMC on a non-DMC searchhead that's part of the cluster, I'm not seeing anything since the DMC data is not searchable from the SH cluster.  I'm happy to hear if I'm wrong or if there's another way to access DMC data from the main cluster.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...