Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

splunk indexer

verifi81
Path Finder
‎07-08-2020 08:45 AM

What is a way I can confirm that a splunk server is doing INDEXING?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-08-2020 08:58 AM

One way is to check splunkd.log to see if the server reports itself as an indexer.

grep "Declared role" /opt/splunk/var/log/splunk/splunkd.log

 Another way is to see if the server is writing any hot buckets.  The _internal index is the best way to check.

ls -l $SPLUNK_DB/_internaldb/db/hot*
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

verifi81
Path Finder
‎07-08-2020 09:23 AM

Is there a way to confirm within the UI? 

I did grep the splunkd.log for "declared role" but nothing came up.   

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-08-2020 11:36 AM

Both can queried from internal index.

index=_internal host=<your host> source=*splunkd.log sourcetype=splunkd “declare role” and time frame enough long to find that entry. And same for buckets. 

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...