Getting Data In

How to get the health status of a heavy (or universal) forwarder?

egrignon
Explorer

Hello Splunk Community,

I m running a heavy forwarder on my central syslog server in order to index most of our logs.

I have no idea on how busy my forwarder is and if I can give him more to forward.

Is there any command or tool that I can run which will help me to determine if I have room to give my forwarder to read more files to forward to my indexers?

I would have the same question for a universal forwarder.

Thank you in advance,

Etienne Grignon

Tags (3)
0 Karma

Ron_Naken
Splunk Employee
Splunk Employee

Install the Deployment Monitor app and view the "All Forwarders" tab:

http://splunk-base.splunk.com/apps/67836/splunk-deployment-monitor

Among the many things it displays, it should show you events per second, as well as how much data is being sent per forwarder.

The Splunk on Splunk app provides another view for forwarder data volume on the Metrics tab. You can split by Forwarder on the "Estimated incoming network volume" panel:

http://splunk-base.splunk.com/apps/29008/sos-splunk-on-splunk

If you're looking for CPU, memory, disk i/o, etc. for the forwarders, monitor the OS for the desired metrics.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...