Splunk Search

How to get Indexer utilization of last 24 hrs.

Steave4app
New Member

Hi Guys,

I am trying to get the utilization of all the indexer for last 24 hrs. I am trying to enter below string but it is giving me the data of the total capacity of the indexers, not only last 24hrs.

| eventcount summarize=false report_size=true index="*" timechart span=1d sum(GB) | eval size_MB=size_bytes/(1024*1024) | eval size_GB=size_MB/1024 | where size_GB > 5 | sort -size_GB | head 10

I have tried below string from the Splunk refereces but it doesn't work for me.

index=_internal todaysbytesindexed startdaysago=30 | eval GB_Indexed = todaysBytesIndexed/1024/1024/1024 | timechart span=1d avg(GB_Indexed

index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) | timechart span=1d sum(GB) | convert ctime(_time) as timestamp

Can somebody correct me or answer me to help on this?

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi Steave4app,
You could use the search that you can find in the License usage dashboard:

index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d   | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | eval slave_guid=slave | stats max(b) AS volume by slave_guid, _time | join type=outer slave_guid [rest splunk_server=local /services/licenser/slaves | rename label AS slave_name title AS slave_guid | table slave_guid slave_name] | eval slave_name = if(isnotnull(slave_name),slave_name,"GUID: ".slave_guid) | timechart span=1d max(volume) AS "volume" by slave_name fixedrange=false | join type=outer _time [search index=_internal [`set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "dimensione dello stack" by _time] | fields - _timediff  | foreach * [eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]

that gives the total volume of indexed logs for each Indexer.

Bye.
Giuseppe

0 Karma

Steave4app
New Member

Hi Cusello,

Sir, I have checked but it did not work for me. Kindly see below error while running this query.

[subsearch]: Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/licenser/slaves?count=0 from server=https://127.0.0.1:8089

Can you help me to get guidance on my query?

Kind Regards,

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi Steave4app
try this:
index=_internal [set_local_host] source=license_usage.log type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(b) AS b by slave, pool, _time | eval slave_guid=slave | stats max(b) AS volume by slave_guid, _time | eval slave_name = if(isnotnull(slave_name),slave_name,"GUID: ".slave_guid) | timechart span=1d max(volume) AS "volume" by slave_name fixedrange=false | fields - _timediff | foreach * [eval <>=round('<>'/1024/1024/1024, 3)]

Bye.
Giuseppe

0 Karma

niketn
Legend

Have you looked at Distributed Monitoring Console which is available with Splunk Enterprise instance and looks at several Splunk performance aspects inclusing Indexers and indexing like:
1) search head and indexer clustering
2) index and volume usage
3) indexing performance

https://docs.splunk.com/Documentation/Splunk/latest/DMC/DMCoverview

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Steave4app
New Member

Hi Niket,

Thanks for the response. We have not Splunk enterprise app. With having some limited resource at this moment, I am searching by this query.

0 Karma

niketn
Legend

Can you see if you have access to Splunk's _internal index?

index=_internal sourcetype=splunkd source="*metrics.log" group=per_Index_thruput | timechart sum(kb) by series

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...