Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to find that indexer is working by using command in search head??

Madhan45
Path Finder
‎03-29-2015 10:48 PM

How to find whether the indexer is receving data or not using a specific command in search head??

Tags (1)
0 Karma
Reply

fdi01
Motivator
‎03-30-2015 01:51 AM

run a search on the search head . in that search you specify that indexer you want to know if it is working.
from results check host , source and sourcetype default fields you can know if your indexer is working or not .
note: you can refer you on the metadata like hosts , source and sourcetype fields which indique you where data comme in.

sorry for my english.

Reply

satishsdange
Builder
‎03-29-2015 11:54 PM

Below searches might help you -

  • Which IP addresses are connecting to Splunk as inputs and how many times is it logged in metrics.log?

    index=_internal source=metrics.log tcpin_connections | stats count by sourceIp

  • What is my hourly thruput by index/source/host? (select timerange of 24 hours or similar)

    index=_internal source=metrics.log per_index_thruput | eval mb=(kb/1024) | timechart span=1h sum(mb) by series | addtotals
    index=_internal source=metrics.log per_source_thruput | eval mb=(kb/1024) | timechart span=1h sum(mb) by series | addtotals
    index=_internal source=metrics.log per_host_thruput | eval mb=(kb/1024) | timechart span=1h sum(mb) by series | addtotals

What hosts have NOT sent data in the past day, but HAVE sent data within the last 7 days

| metadata type=hosts | eval seven_days_ago=now()-604800 | eval one_day_ago=now()-86400 | where recentTime > seven_days_ago | where recentTime < one_day_ago | search host!=*hostname | convert ctime(recentTime) as recent_event | eval _time=recentTime | fields host
0 Karma
Reply

gfuente
Motivator
‎03-29-2015 11:50 PM

An easy check would be:

index=_internal | stats count by splunk_server

This will give you a list of indexer that are indexing data and also are giving results back to the search

Regards

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...