Splunk search for Blocked queues

Copy
index=_internal sourcetype=splunkd group=queue (name=parsingQueue OR name=indexqueue OR name=tcpin_queue OR name=aggqueue) | eval blocked=if(blocked=="true",1,0), queued_host=host." - ".name | stats sparkline sum(blocked) as blocked,count by queued_host | eval block_ratio=round(blocked/count*100,2) | sort - block_ratio | eval Finding=case(blocked_ratio>50.0,"Critical",blocked_ratio>40.0,"Warning",blocked_ratio>20.0,"Low",1=1,"Healthy")
This search will provide information on the current status of all indexing queues. The search will map the current percentage blocked to a human readable status such as 'Critical' or 'Healthy'
0 comments

Category:

General Splunk


Tags:

Admin general internal

Search Commands:

Sign in or Register to submit a comment