Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search to return cluster ingest rate (KB/s)

nnesje
Loves-to-Learn Lots
‎11-04-2022 10:03 AM

I'm looking for a search I can run that will return the ingest rate (KB/s) across the entire cluster.  I know there's a "Deployment-Wide Total Indexing Rate" panel in the DMC dashboard "Indexing Performance: Deployment" that contains this data but I need to recreate this on the cluster itself to push to a summary index for retention and quick export. 

Also, if there's a similar search that will return events/s, I'm looking for that as well.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-04-2022 11:09 AM

When you click on the magnifying glass icon in the lower-right corner of a MC dashboard panel the panel will open in a Search window where you can modify the query as desired and then save it in your dashboard or report.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

nnesje
Loves-to-Learn Lots
‎11-04-2022 11:41 AM

Understood, but saving those dashboard panels as a separate report in the DMC doesn't help me. I need to re-create those searches NOT in the DMC, which is a stand-alone searchhead and not part of the shcluster. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-04-2022 11:43 AM

Once you have the search open you can copy it anywhere you need it.  It doesn't have to stay on the MC.  You will, however, need to expand the DMC macros used by the search.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

nnesje
Loves-to-Learn Lots
‎11-04-2022 11:57 AM

Can you go into more detail on "expanding the macros" for the DMC-based searches?  As I understand it, the DMC is running jobs that collect data from the cluster and store it on the DMC, then the dashboards call that data via the searches/macros.  When I try to copy/run a search that's part of a dashboard in the DMC on a non-DMC searchhead that's part of the cluster, I'm not seeing anything since the DMC data is not searchable from the SH cluster.  I'm happy to hear if I'm wrong or if there's another way to access DMC data from the main cluster.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...