Getting Data In

Few forwarders not sending data

Vetrikmr
New Member

Hey everyone, I have installed UF agents in 180 servers and i have seen the data coming to splunk yesterday. But now i have noticed three of them are not sending data, I mean i am seeing 177 hosts in splunk. So how can we find out what are those three UF's which is not sending data. I have configured all these using Deployment server. Same index and same sourcetype. And is there a way that we can get alerts when the forwarder stops sending data or gets any issue? I am using splunk 6.3. Thank you

0 Karma

adonio
Ultra Champion

hello there,

when you say "not sending data" do you mean to the regular indexes or to _internal index?
try this to find out how many distinct forwarders are out there and who sends to _internal but does not send "data":

| tstats dc(host) as unique values(host) as hosts where index=_*
| mvexpand hosts
| appendcols [ | tstats values(host) as data_hosts where index=*]
| eval match = if(hosts=data_hosts,1,0)
| where match=0

if you have only 177 distinct forwarders, then you will probably will have to manuallt figure out where are the other 3.
if you have 180 sends to _internal then it means that those unique 3 either have wrong inputs on them or there is no data generated.

hope it helps

0 Karma

cboillot
Contributor

I am not sure what this search is doing. I went line by line and was following up until I got to line 3. Line three adds a field with all the host, but just for the first entry, as least it does when I run them. From here, only the all 500+ host would still be listed at step five, except for the first one.

Is there something I am missing?

what I did get to work, or it seems like it works, is this:

| tstats dc(host) as unique values(host) as hosts where index=_*
| appendcols [ | tstats values(host) as data_hosts where index=*]
| mvexpand hosts
| eval match = if(hosts=data_hosts,1,0)
| where match=0

0 Karma

somesoni2
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...