Splunk® Enterprise

Monitoring Splunk Enterprise

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Search: Distributed Search

This topic is a reference for the Monitoring Console dashboards related to distributed search. See About the Monitoring Console in this manual.

What do these views show?

The distributed search views expose the health, activity, and performance of the distributed search framework.

These views focus on communication between a search head and its peers during searches. In contrast, the search head clustering dashboards describe communication between search heads.

There are two basic ways to use these views:

1. Navigate to the health check at top of view, specific to this product area. Verify that these basic checks pass.

2. If your users report distributed search problems, use these views to understand how the components are performing. For example, users might see messages like "search peers could not participate in the search" or about search peers being unavailable or taking too long. For these types of messages, use these dashboards. If you know the instance reporting the problems, go directly to the Distributed search: Instance view. If not, start at the Distributed search: Deployment view. Look at the history of how these instances were behaving. These views can help you understand the distributed search framework. This hopefully gives you a better idea of the nature of the problem.

Interpret results in these views

For either view (Instance or Deployment), you can choose to examine search heads or search peers by selecting Search heads or Indexers at the top of the page. The metrics displayed on the dashboard change depending on which role you select.

On the Instance view, select a search head to see how the search head is communicating with its peers, from the operating context of this search head.

What to look for in these views

Scan for red flags in the Health Checks at the top of each view. The health checks are not comprehensive across the entire distributed search infrastructure. Rather, they are a high-level check of basic things.

The Snapshot panel exposes response times to a request and times for bundle replication. These times are vitals because they should take a very short time (under a second). Generally, if any of these times is a few seconds or longer, then something is not right.

In the Deployment view, select the search heads radial and use column sorting to inspect timing metrics:

  • Dispatch directories are reaped per operation, so times over 15 seconds indicate problems.
  • Bundle directory reaping should also be much less than 15 seconds.

The three Heartbeat metrics represent a vital on the search head. When they're high, the search peers might be oversubscribed and having trouble responding to communication requests in a timely manner. Response times over 1 second are not ideal and could indicate a developing problem. Response times over 5 or 10 seconds will start hitting up against timeouts. When this happens, searches actually fail. To continue troubleshooting, match this with the Resource Usage: Machine view corresponding to this peer. See Intermittent authentication timeouts on search peers in the Troubleshooting Manual for more information.

For additional help with distributed search problems, see General troubleshooting issues in the Distributed Search Manual.

Troubleshoot these views

All of the metrics that these views leverage were introduced in Splunk Enterprise 6.3.0. If a component of your deployment is on a Splunk Enterprise version older than 6.3.0, these views will not include data from that component.

The snapshot panels use data from a variety of endpoints.

All historical panels in these views get their data from metrics.log.

Last modified on 25 February, 2019
Search: Scheduler Activity   Search: Search Head Clustering

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters