Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search to return cluster ingest rate (KB/s)

nnesje
Loves-to-Learn Lots
‎11-04-2022 10:03 AM

I'm looking for a search I can run that will return the ingest rate (KB/s) across the entire cluster.  I know there's a "Deployment-Wide Total Indexing Rate" panel in the DMC dashboard "Indexing Performance: Deployment" that contains this data but I need to recreate this on the cluster itself to push to a summary index for retention and quick export. 

Also, if there's a similar search that will return events/s, I'm looking for that as well.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-04-2022 11:09 AM

When you click on the magnifying glass icon in the lower-right corner of a MC dashboard panel the panel will open in a Search window where you can modify the query as desired and then save it in your dashboard or report.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

nnesje
Loves-to-Learn Lots
‎11-04-2022 11:41 AM

Understood, but saving those dashboard panels as a separate report in the DMC doesn't help me. I need to re-create those searches NOT in the DMC, which is a stand-alone searchhead and not part of the shcluster. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-04-2022 11:43 AM

Once you have the search open you can copy it anywhere you need it.  It doesn't have to stay on the MC.  You will, however, need to expand the DMC macros used by the search.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

nnesje
Loves-to-Learn Lots
‎11-04-2022 11:57 AM

Can you go into more detail on "expanding the macros" for the DMC-based searches?  As I understand it, the DMC is running jobs that collect data from the cluster and store it on the DMC, then the dashboards call that data via the searches/macros.  When I try to copy/run a search that's part of a dashboard in the DMC on a non-DMC searchhead that's part of the cluster, I'm not seeing anything since the DMC data is not searchable from the SH cluster.  I'm happy to hear if I'm wrong or if there's another way to access DMC data from the main cluster.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...