Splunk Search

how to find that indexer is working by using command in search head??

Madhan45
Path Finder

How to find whether the indexer is receving data or not using a specific command in search head??

Tags (1)
0 Karma

fdi01
Motivator

run a search on the search head . in that search you specify that indexer you want to know if it is working.
from results check host , source and sourcetype default fields you can know if your indexer is working or not .
note: you can refer you on the metadata like hosts , source and sourcetype fields which indique you where data comme in.

sorry for my english.

satishsdange
Builder

Below searches might help you -

  • Which IP addresses are connecting to Splunk as inputs and how many times is it logged in metrics.log?

    index=_internal source=metrics.log tcpin_connections | stats count by sourceIp

  • What is my hourly thruput by index/source/host? (select timerange of 24 hours or similar)

    index=_internal source=metrics.log per_index_thruput | eval mb=(kb/1024) | timechart span=1h sum(mb) by series | addtotals
    index=_internal source=metrics.log per_source_thruput | eval mb=(kb/1024) | timechart span=1h sum(mb) by series | addtotals
    index=_internal source=metrics.log per_host_thruput | eval mb=(kb/1024) | timechart span=1h sum(mb) by series | addtotals

What hosts have NOT sent data in the past day, but HAVE sent data within the last 7 days

| metadata type=hosts | eval seven_days_ago=now()-604800 | eval one_day_ago=now()-86400 | where recentTime > seven_days_ago | where recentTime < one_day_ago | search host!=*hostname | convert ctime(recentTime) as recent_event | eval _time=recentTime | fields host
0 Karma

gfuente
Motivator

An easy check would be:

index=_internal | stats count by splunk_server

This will give you a list of indexer that are indexing data and also are giving results back to the search

Regards

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...