Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to find that indexer is working by using command in search head??

Madhan45
Path Finder
‎03-29-2015 10:48 PM

How to find whether the indexer is receving data or not using a specific command in search head??

Tags (1)
0 Karma
Reply

fdi01
Motivator
‎03-30-2015 01:51 AM

run a search on the search head . in that search you specify that indexer you want to know if it is working.
from results check host , source and sourcetype default fields you can know if your indexer is working or not .
note: you can refer you on the metadata like hosts , source and sourcetype fields which indique you where data comme in.

sorry for my english.

Reply

satishsdange
Builder
‎03-29-2015 11:54 PM

Below searches might help you -

  • Which IP addresses are connecting to Splunk as inputs and how many times is it logged in metrics.log?

    index=_internal source=metrics.log tcpin_connections | stats count by sourceIp

  • What is my hourly thruput by index/source/host? (select timerange of 24 hours or similar)

    index=_internal source=metrics.log per_index_thruput | eval mb=(kb/1024) | timechart span=1h sum(mb) by series | addtotals
    index=_internal source=metrics.log per_source_thruput | eval mb=(kb/1024) | timechart span=1h sum(mb) by series | addtotals
    index=_internal source=metrics.log per_host_thruput | eval mb=(kb/1024) | timechart span=1h sum(mb) by series | addtotals

What hosts have NOT sent data in the past day, but HAVE sent data within the last 7 days

| metadata type=hosts | eval seven_days_ago=now()-604800 | eval one_day_ago=now()-86400 | where recentTime > seven_days_ago | where recentTime < one_day_ago | search host!=*hostname | convert ctime(recentTime) as recent_event | eval _time=recentTime | fields host
0 Karma
Reply

gfuente
Motivator
‎03-29-2015 11:50 PM

An easy check would be:

index=_internal | stats count by splunk_server

This will give you a list of indexer that are indexing data and also are giving results back to the search

Regards

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...