Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find the total and average indexing rates for all indexers?

kteng2024
Path Finder
‎01-09-2017 07:57 PM

hi

Can I please know how to find the total indexing rate of all indexers and average indexing rate? Is there any query for it?

0 Karma
Reply

hunters_splunk
Splunk Employee
Splunk Employee
‎01-10-2017 07:56 AM

Hi keteng2024,

You can use the monitoring console to monitor the indexing rate.

  1. In Splunk Web, select Settings > Monitoring Console.
  2. From the Monitoring Control menu, select Indexing > Performance > Indexing Performance (Instance or Deployment).
  3. Select options and view the indexing rate of all indexers or all indexes.
  4. You can click the Open Search icon next to the indexing rate to view the query behind the statistics.

Here is a query example: 

| rest splunk_server=hunter-mac-indexer /services/server/introspection/indexer
            | eval status = if((reason == ".") OR (reason == "") OR isnull(reason), status, status.": ".reason)
            | fields splunk_server, average_KBps, status
            | eval average_KBps = round(average_KBps, 0)
            | join [
              | rest splunk_server=<my_indexer_server> /services/properties/server/general/parallelIngestionPipelines]
            | fields splunk_server, value, average_KBps, status
            | rename splunk_server as Instance, value as "Pipeline Set Count", average_KBps as "Indexing Rate (KB/s)", status as Status, reason as Reason

Another example query to display indexing thruput: 

index=_internal component=Metrics per_index_thruput
| eval mb=(kb/1024) | timechart span=1h sum(mb) by
series | addtotals

Hope it helps. Thanks!
Hunter

0 Karma
Reply

hunters_splunk
Splunk Employee
Splunk Employee
‎01-10-2017 08:02 AM

A small correction - In my first example query, hunter-mac-indexer should be , the hostname of the server you are running your indexer.
Thanks!

0 Karma
Reply

dlamb_splunk
Splunk Employee
Splunk Employee
‎01-10-2017 07:33 AM

Depending on what version you are running there may be a few places to look. That said the easiest and best place is probably the Monitoring Console, see link below for docs. If you want to run searches you can, see below for one example. There are a lot of answers already existing for ways to do that. There are quite a few different ways to get to the same data.

DMC - https://docs.splunk.com/Documentation/Splunk/6.5.1/DMC/DMCoverview

Search - https://answers.splunk.com/answers/154773/how-to-create-a-report-that-shows-max-indexed-volume-per-d...

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...