Splunk search for Splunk instances with queues over 80% full

Copy
index=_internal group=queue | eval percent_full=((current_size_kb/max_size_kb)*100) | search percent_full>80 | dedup host, name | table _time host name current_size_kb max_size_kb | rename host as Host, name as Queue, current_size_kb as "Current Queue Size", max_size_kb as "Max Queue Size"
This Splunk search will provide a table with the number of Splunk instances that have any queue that is over 80% full. This search is useful for identifying places within your Splunk environment that have problems somewhere within the ingestion pipeline.
0 comments

Category:

General Splunk


Tags:

internal Admin general

Search Commands:

Sign in or Register to submit a comment