Getting Data In

How to create a report of all forwarders per index/sourcetype, their status (running/stopped), and amount of data pushed to that index per day?

athorat
Communicator

How do I get the number of forwarders per index/source type along with the status (running/stopped) and the amount of data being pushed to that index per day?
Say list of all forwarders with status and the amount of data indexed for index=DNS sourcetype=PROD:DNS

0 Karma

lguinn2
Legend

Here is an answer that may help you get started

Listing forwarders

However, there is no way to find out the current status of the forwarder (running/stopped). You can see when a forwarder last sent data, and if it hasn't sent any during the last hour, you could flag it. That's a reasonable proxy for "down".

This doesn't list the data by index or source, just by forwarder. You should take a look at the built-in license usage report on the server that is acting as your license master. Finally, look at the Distributed Management Console (you can get there from the Settings drop-down) - it also has some license usage reports.

Finally, you could install the Deployment Monitor app. I've found it a good source for searches in the past. Usually I just take the searches that seem useful and modify them, then put them in my own app and uninstall the Deployment monitor.

Watch out for the metrics.log - it is a good source for a lot of information, but it only logs the top 10 sources/sourcetypes/hosts for each time period. So although it gives some great information, it won't be complete.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...