Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to determine if forwarder weight distribution is good from search?

mhouse
New Member
‎10-30-2019 08:43 AM

I need help figuring something out.

Got this search during .conf19 to be used to do a Forwarder weight distribution search:

index=_internal Metrics sourcetype=splunkd TERM(group=tcpin_connections) earliest=-4hr latest=now [|dbinspect index=_* 
|stats values(splunk_server) as indexer 
|eval search="host IN (".mvjoin(mvfilter(indexer!=""),",").")"] 
|stats sum(kb) as throughput by hostname 
|sort - throughput 
|eventstats sum(throughput) as total_throughput dc(hostname) as all_forwarders 
|streamstats sum(throughput) as accumlated_throughput count by all_forwarders 
|eval coverage=accumlated_throughput/total_throughput, progress_through_forwarders=count/all_forwarders 
|bin progress_through_forwarders bins=100 
|stats max(coverage) as coverage by progress_through_forwarders all_forwarders 
|fields progress_through_forwarders coverage

How do I interpret the results from this search? If the numerical representation of coverage is within 0.1 across all results is that success? Across 100 results, the coverage values range from 0.82594059014 to 1.0000000.

0 Karma
Reply

codebuilder
Influencer
‎10-30-2019 12:17 PM

If you are using indexer discovery, then the monitoring console on the master will provide a tremendous amount of information regarding your forwarders. Including status, thruput, distribution, and much more.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-30-2019 09:57 AM

Hi mhouse,
did you already explored the Management Console?
probably there's that you're searching: I used it for a customer some months ago.

Ciao.
Giuseppe

0 Karma
Reply

mhouse
New Member
‎10-30-2019 10:00 AM

I don't understand your question. I ran my query on the SH and I am seeking help in understanding the results.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...