https://community.splunk.com/t5/Getting-Data-In/How-to-detect-Splunk-log-ingestion-failure/m-p/68634#M13899 <P>You could turn on the Splunk Deployment Monitor app (it comes with Splunk). </P> <P>It has some dashboards that show which forwarders are forwarding LESS than usual. You can also set alerts from within the Deployment Monitor.</P> <P>This is why I don't like using rsync unless it is absolutely necessary. You end up having to manually deal with the corner cases when rsync doesn't work. Using a Splunk forwarder is a lot less hassle.</P> Sat, 03 Sep 2011 17:15:14 GMT lguinn2 2011-09-03T17:15:14Z https://community.splunk.com/t5/Getting-Data-In/How-to-detect-Splunk-log-ingestion-failure/m-p/68632#M13897 <P>I'm working with Splunk setup to copy and index disk logs from remote servers using scheduled rsync transfer. </P> <P>The rsync transfer job has a bandwidth limit specified to avoid overloading the remote servers and the Splunk server. </P> <P>During a recent incident, this rsync bandwidth limit was reached because logs grew too quickly (about 5 GB/hour for about a day). During this time, logs were not transferred for indexing. </P> <P>This is as designed, but Splunk reports nothing for that timeframe, nor gives an indication that data is missing. </P> <P>Our Splunk admin says the rsync transfer failures cannot be reported. Is there a way to use Splunk to detect when logs were not indexed as expected? </P> Thu, 01 Sep 2011 02:06:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-detect-Splunk-log-ingestion-failure/m-p/68632#M13897 sonam 2011-09-01T02:06:07Z https://community.splunk.com/t5/Getting-Data-In/How-to-detect-Splunk-log-ingestion-failure/m-p/68633#M13898 <P>I would just set up an alert that emails you once a certain number of events falls below your given threshold. </P> Thu, 01 Sep 2011 02:59:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-detect-Splunk-log-ingestion-failure/m-p/68633#M13898 RicoSuave 2011-09-01T02:59:02Z https://community.splunk.com/t5/Getting-Data-In/How-to-detect-Splunk-log-ingestion-failure/m-p/68634#M13899 <P>You could turn on the Splunk Deployment Monitor app (it comes with Splunk). </P> <P>It has some dashboards that show which forwarders are forwarding LESS than usual. You can also set alerts from within the Deployment Monitor.</P> <P>This is why I don't like using rsync unless it is absolutely necessary. You end up having to manually deal with the corner cases when rsync doesn't work. Using a Splunk forwarder is a lot less hassle.</P> Sat, 03 Sep 2011 17:15:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-detect-Splunk-log-ingestion-failure/m-p/68634#M13899 lguinn2 2011-09-03T17:15:14Z https://community.splunk.com/t5/Getting-Data-In/How-to-detect-Splunk-log-ingestion-failure/m-p/68635#M13900 <P>Thanks - that sounds sensible.</P> Thu, 15 Sep 2011 05:47:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-detect-Splunk-log-ingestion-failure/m-p/68635#M13900 sonam 2011-09-15T05:47:54Z https://community.splunk.com/t5/Getting-Data-In/How-to-detect-Splunk-log-ingestion-failure/m-p/68636#M13901 <P>Yes, that would work but may cause a few false positives; for example, when a server was down for maintenance.</P> Thu, 15 Sep 2011 05:49:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-detect-Splunk-log-ingestion-failure/m-p/68636#M13901 sonam 2011-09-15T05:49:36Z