How to get Indexer utilization of last 24 hrs.

Steave4app · ‎12-28-2016

Hi Guys,

I am trying to get the utilization of all the indexer for last 24 hrs. I am trying to enter below string but it is giving me the data of the total capacity of the indexers, not only last 24hrs.

I have tried below string from the Splunk refereces but it doesn't work for me.

index=_internal todaysbytesindexed startdaysago=30 | eval GB_Indexed = todaysBytesIndexed/1024/1024/1024 | timechart span=1d avg(GB_Indexed

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) | timechart span=1d sum(GB) | convert ctime(_time) as timestamp

Can somebody correct me or answer me to help on this?

gcusello · ‎12-28-2016

Hi Steave4app,
You could use the search that you can find in the License usage dashboard:

index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d   | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | eval slave_guid=slave | stats max(b) AS volume by slave_guid, _time | join type=outer slave_guid [rest splunk_server=local /services/licenser/slaves | rename label AS slave_name title AS slave_guid | table slave_guid slave_name] | eval slave_name = if(isnotnull(slave_name),slave_name,"GUID: ".slave_guid) | timechart span=1d max(volume) AS "volume" by slave_name fixedrange=false | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "dimensione dello stack" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

that gives the total volume of indexed logs for each Indexer.

Bye.
Giuseppe

Steave4app · ‎12-28-2016

Hi Cusello,

Sir, I have checked but it did not work for me. Kindly see below error while running this query.

[subsearch]: Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/licenser/slaves?count=0 from server=https://127.0.0.1:8089

Can you help me to get guidance on my query?

Kind Regards,

gcusello · ‎12-28-2016

hi Steave4app
try this:
index=_internal [set_local_host] source=license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | eval slave_guid=slave | stats max(b) AS volume by slave_guid, _time | eval slave_name = if(isnotnull(slave_name),slave_name,"GUID: ".slave_guid) | timechart span=1d max(volume) AS "volume" by slave_name fixedrange=false | fields - _timediff | foreach * [eval <>=round('<>'/1024/1024/1024, 3)]

Bye.
Giuseppe

niketn · ‎12-28-2016

Have you looked at Distributed Monitoring Console which is available with Splunk Enterprise instance and looks at several Splunk performance aspects inclusing Indexers and indexing like:
1) search head and indexer clustering
2) index and volume usage
3) indexing performance

https://docs.splunk.com/Documentation/Splunk/latest/DMC/DMCoverview

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Steave4app · ‎12-28-2016

Hi Niket,

Thanks for the response. We have not Splunk enterprise app. With having some limited resource at this moment, I am searching by this query.

niketn · ‎12-28-2016

Can you see if you have access to Splunk's _internal index?

index=_internal sourcetype=splunkd source="*metrics.log" group=per_Index_thruput | timechart sum(kb) by series

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How to get Indexer utilization of last 24 hrs.

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?