Splunk Search

default interval for data sending

jangid
Builder

I am using Universal forwarder to send data to main Splunk instance to monitor files/directories.

What is default interval to send data?
How do I change this interval for x seconds to y seconds?

Tags (2)
0 Karma
1 Solution

Ayn
Legend

There is no interval. The forwarder sends data as soon as it has anything to send. You should expect some minor delay before you see the data in your index since data needs to move through the various queues in both the forwarder and the indexer, though. The inputs your forwarder is configured with might use some kind of intervals, like scripted inputs or WMI based inputs.

View solution in original post

Ayn
Legend

There is no interval. The forwarder sends data as soon as it has anything to send. You should expect some minor delay before you see the data in your index since data needs to move through the various queues in both the forwarder and the indexer, though. The inputs your forwarder is configured with might use some kind of intervals, like scripted inputs or WMI based inputs.

Ayn
Legend

What's in your environment that makes it a bad idea to send the data as soon as it arrives to the forwarder?

0 Karma

InkerzBrad
Explorer

If the log constantly changes, then it would be expensive to send a TCP traffic every time it changes.

0 Karma

Ayn
Legend

To achieve that you'd need to use a scripted input that only reads the data once an hour. There's some stuff on it here: http://splunk-base.splunk.com/answers/59916/can-you-set-a-certain-time-forwarding-occurs

jangid
Builder

Then how do I configure Splunk Universal forwarder to send data every one hour to main Instance?

0 Karma
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...