search Archives -

Searches to check search concurrency for historical or real time

The following Splunk search will output historical or real time concurrency in a timechart by host. *NOTE* Change the text <search_head> to your search heads name, alternatively use a *.

index=_internal host= source=*metrics.log group=search_concurrency "system total" NOT user=* | timechart max(active_hist_searches) by host

1	index=_internal host= source=metrics.log group=search_concurrency "system total" NOT user= \| timechart max(active_hist_searches) by host

index=_internal host= source=*metrics.log group=search_concurrency "system total" NOT user=* | timechart max(active_realtime_searches) by host

1	index=_internal host= source=metrics.log group=search_concurrency "system total" NOT user= \| timechart max(active_realtime_searches) by host

Continue Reading →

Use REST to gather Index Info

Here is some SPL to get useful information via REST on indexes within your Splunk environment:

| REST /services/data/indexes
| eval currentDBSizeMB=tostring(currentDBSizeMB, "commas")
| eval totalEventCount=tostring(totalEventCount, "commas")
| eval frozenTimePeriodInHours=(frozenTimePeriodInSecs/60/60)
| table title splunk_server currentDBSizeMB frozenTimePeriodInHours maxTime minTime totalEventCount

| REST /services/data/indexes

| eval currentDBSizeMB=tostring(currentDBSizeMB, "commas")

| eval totalEventCount=tostring(totalEventCount, "commas")

| eval frozenTimePeriodInHours=(frozenTimePeriodInSecs/60/60)

| table title splunk_server currentDBSizeMB frozenTimePeriodInHours maxTime minTime totalEventCount

Continue Reading →

Tag: search

Searches to check search concurrency for historical or real time

Use REST to gather Index Info