Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

splunk indexer

verifi81
Path Finder
‎07-08-2020 08:45 AM

What is a way I can confirm that a splunk server is doing INDEXING?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-08-2020 08:58 AM

One way is to check splunkd.log to see if the server reports itself as an indexer.

grep "Declared role" /opt/splunk/var/log/splunk/splunkd.log

 Another way is to see if the server is writing any hot buckets.  The _internal index is the best way to check.

ls -l $SPLUNK_DB/_internaldb/db/hot*
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

verifi81
Path Finder
‎07-08-2020 09:23 AM

Is there a way to confirm within the UI? 

I did grep the splunkd.log for "declared role" but nothing came up.   

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-08-2020 11:36 AM

Both can queried from internal index.

index=_internal host=<your host> source=*splunkd.log sourcetype=splunkd “declare role” and time frame enough long to find that entry. And same for buckets. 

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...