https://community.splunk.com/t5/Getting-Data-In/Configure-heavy-forwarder-to-send-data-periodically/m-p/199448#M39482 <P>Maybe, you could configure a regular monitor. Then use cron or any other scheduler tool to start and stop the UF as needed</P> <P>You could install several instances of uf in the same host, if needed, one for real time monitoring and the other one for batch (with the start and stop trick...)</P> <P>Regards</P> Fri, 10 Jan 2014 12:36:16 GMT gfuente 2014-01-10T12:36:16Z https://community.splunk.com/t5/Getting-Data-In/Configure-heavy-forwarder-to-send-data-periodically/m-p/199443#M39477 <P>Hi Guys,</P> <P>I set-up Heavy forwarder at Machine-1 and wants to send data on Machine-2, since network in involve in between so i want to minimize the network traffic to prevent certain type of events and send the imp event immediately but less imp event per day or per hours. <BR /> Many Places i read that using universal forwarder we cann't do filter as well as interval setting, that's why i moved to Heavy forwarder, I can able to filter out events in heavy forwarders but unable to set periodicity. </P> <P>It would be great help if some one can tell me stanza for setting interval of polling, <BR /> lets say, I want to monitor, <STRONG>"testlog" all time and "testlog1" after every 30 mins and "testlog2" after every 1 hours.</STRONG> </P> <P>Right now my inputs.conf is below, </P> <P>[monitor:///usr/local/preview/splunk/testlog/*]<BR /> index = main<BR /> sourcetype = testlog</P> <P>[splunktcp://9997]<BR /> connection_host = ip<BR /> _TCP_ROUTING = splunkindexer_9997 </P> Mon, 28 Sep 2020 15:37:47 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-heavy-forwarder-to-send-data-periodically/m-p/199443#M39477 moohkhol 2020-09-28T15:37:47Z https://community.splunk.com/t5/Getting-Data-In/Configure-heavy-forwarder-to-send-data-periodically/m-p/199444#M39478 <P>This is not unique to Universal Forwarders - no Splunk instance has the option to send logs just periodically. So, moving to a heavy forwarder does not help.</P> Fri, 10 Jan 2014 10:43:42 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-heavy-forwarder-to-send-data-periodically/m-p/199444#M39478 Ayn 2014-01-10T10:43:42Z https://community.splunk.com/t5/Getting-Data-In/Configure-heavy-forwarder-to-send-data-periodically/m-p/199445#M39479 <P>What's the best practice for splunk to achieve this, lets say i wants to use log for data analytics perspective, i don't need real time information, even if it's hours old or day old it would me fine for me, it would be very general requirement. <BR /> Any suggestion for that would help me a lots.</P> Fri, 10 Jan 2014 10:49:21 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-heavy-forwarder-to-send-data-periodically/m-p/199445#M39479 moohkhol 2014-01-10T10:49:21Z https://community.splunk.com/t5/Getting-Data-In/Configure-heavy-forwarder-to-send-data-periodically/m-p/199446#M39480 <P>What's the best practice for splunk to achieve this, lets say i wants to use log for data analytics perspective, i don't need real time information, even if it's hours old or day old it would me fine for me, it would be very general requirement. <BR /> Any suggestion for that would help me a lots.</P> Fri, 10 Jan 2014 10:50:03 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-heavy-forwarder-to-send-data-periodically/m-p/199446#M39480 moohkhol 2014-01-10T10:50:03Z https://community.splunk.com/t5/Getting-Data-In/Configure-heavy-forwarder-to-send-data-periodically/m-p/199447#M39481 <P>Commonly this is not a problem as most environments don't have so little bandwidth. If it's bandwidth you're concerned about, you can limit at which rate forwarders send their data in limits.conf. Default for a Universal Forwarder is 256kB/s.</P> Fri, 10 Jan 2014 10:52:59 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-heavy-forwarder-to-send-data-periodically/m-p/199447#M39481 Ayn 2014-01-10T10:52:59Z https://community.splunk.com/t5/Getting-Data-In/Configure-heavy-forwarder-to-send-data-periodically/m-p/199448#M39482 <P>Maybe, you could configure a regular monitor. Then use cron or any other scheduler tool to start and stop the UF as needed</P> <P>You could install several instances of uf in the same host, if needed, one for real time monitoring and the other one for batch (with the start and stop trick...)</P> <P>Regards</P> Fri, 10 Jan 2014 12:36:16 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-heavy-forwarder-to-send-data-periodically/m-p/199448#M39482 gfuente 2014-01-10T12:36:16Z https://community.splunk.com/t5/Getting-Data-In/Configure-heavy-forwarder-to-send-data-periodically/m-p/199449#M39483 <P>Also, on the bandwidth consumption concern, note that if you enable useclientSSLcompression on the universal forwarder, you will achieve significant compression benefit. See here: </P> <P><A href="http://answers.splunk.com/answers/92067/forwarder-output-compression-ratio">http://answers.splunk.com/answers/92067/forwarder-output-compression-ratio</A></P> <P>The heavyweight forwarder is not nearly as efficient. General rule of thumb - if you are dropping more than about 60% of the traffic, then it warrants an HWF.</P> Fri, 10 Jan 2014 21:27:38 GMT https://community.splunk.com/t5/Getting-Data-In/Configure-heavy-forwarder-to-send-data-periodically/m-p/199449#M39483 jbrodsky_splunk 2014-01-10T21:27:38Z