Solved: List/count no of all file my forwarder is monitori...

robertlynch2020 · ‎09-09-2020

Hi

I have an environment that is increasing in files each day, this I think is causing high CPU on the forwarders as the number of files is increasing.

I am looking to prove this, so is there a command I can run on the forwarder that will tell me the number of files it is monitoring, etc... or something that will give me data on this topic?

Regards

Robert Lynch

richgalloway · ‎09-09-2020

The command splunk list monitor will tell you which files a forwarder is monitoring, but not give a number (the shell can help with that) nor show how the list has changed over time.

Try this query in a search head, instead.

| tstats prestats=true dc(source) as files where index=* host=<forwarder-name> by _time
| timechart dc(source) as files

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎09-09-2020

The command splunk list monitor will tell you which files a forwarder is monitoring, but not give a number (the shell can help with that) nor show how the list has changed over time.

Try this query in a search head, instead.

| tstats prestats=true dc(source) as files where index=* host=<forwarder-name> by _time
| timechart dc(source) as files

---
If this reply helps you, Karma would be appreciated.

List/count no of all file my forwarder is monitoring

universal forwarder

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio