Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to find that indexer is working by using command in search head??

Madhan45
Path Finder
‎03-29-2015 10:48 PM

How to find whether the indexer is receving data or not using a specific command in search head??

Tags (1)
0 Karma
Reply

fdi01
Motivator
‎03-30-2015 01:51 AM

run a search on the search head . in that search you specify that indexer you want to know if it is working.
from results check host , source and sourcetype default fields you can know if your indexer is working or not .
note: you can refer you on the metadata like hosts , source and sourcetype fields which indique you where data comme in.

sorry for my english.

Reply

satishsdange
Builder
‎03-29-2015 11:54 PM

Below searches might help you -

  • Which IP addresses are connecting to Splunk as inputs and how many times is it logged in metrics.log?

    index=_internal source=metrics.log tcpin_connections | stats count by sourceIp

  • What is my hourly thruput by index/source/host? (select timerange of 24 hours or similar)

    index=_internal source=metrics.log per_index_thruput | eval mb=(kb/1024) | timechart span=1h sum(mb) by series | addtotals
    index=_internal source=metrics.log per_source_thruput | eval mb=(kb/1024) | timechart span=1h sum(mb) by series | addtotals
    index=_internal source=metrics.log per_host_thruput | eval mb=(kb/1024) | timechart span=1h sum(mb) by series | addtotals

What hosts have NOT sent data in the past day, but HAVE sent data within the last 7 days

| metadata type=hosts | eval seven_days_ago=now()-604800 | eval one_day_ago=now()-86400 | where recentTime > seven_days_ago | where recentTime < one_day_ago | search host!=*hostname | convert ctime(recentTime) as recent_event | eval _time=recentTime | fields host
0 Karma
Reply

gfuente
Motivator
‎03-29-2015 11:50 PM

An easy check would be:

index=_internal | stats count by splunk_server

This will give you a list of indexer that are indexing data and also are giving results back to the search

Regards

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...