https://community.splunk.com/t5/Getting-Data-In/How-can-I-set-an-alert-for-max-thruput/m-p/321116#M59907 <P>I have an example in this <A href="https://github.com/gjanders/SplunkAdmins/blob/master/default/savedsearches.conf">savedsearches.conf</A> from the <A href="https://github.com/gjanders/SplunkAdmins/">SplunkAdmins app</A> that I created. My search is similar to other answers but I have used:</P> <PRE><CODE>index=_internal "has reached maxKBps. As a result, data forwarding may be throttled" sourcetype=splunkd | stats count(_raw) by host as countPerHost | where countPerHost &gt; 1 </CODE></PRE> Tue, 24 Oct 2017 02:26:52 GMT gjanders 2017-10-24T02:26:52Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-set-an-alert-for-max-thruput/m-p/321113#M59904 <P>What is the search query to alert when the forwarder reaches max thruput? </P> Sun, 22 Oct 2017 14:03:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-set-an-alert-for-max-thruput/m-p/321113#M59904 mamir32825 2017-10-22T14:03:33Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-set-an-alert-for-max-thruput/m-p/321114#M59905 <P>from an answer by @burwell at the <A href="https://answers.splunk.com/answers/584191/need-a-search-alert-query-when-the-forwarder-reach.html">post</A> - Here's what I do to detect throttled forwarders. I have a scheduled search for last 4 hours (-240m to now) and then alert for any events:</P> <PRE><CODE> index=_internal " INFO " " throttled" NOT debug source=*splunkd.log* | dedup host |sort host| table host _raw </CODE></PRE> <P>This gives me a nice table per host and I can see the hosts and what the thruput is that is getting throttled. Example output:</P> <PRE><CODE> foo1.host.com 10-22-2017 18:26:28.131 +0000 INFO ThruputProcessor - Current data throughput (258 kb/s) has reached maxKBps. As a result, data forwarding may be throttled. Consider increasing the value of maxKBps in limits.conf. foo2.host.com 10-22-2017 18:29:28.324 +0000 INFO ThruputProcessor - Current data throughput (512 kb/s) has reached maxKBps. As a result, data forwarding may be throttled. Consider increasing the value of maxKBps in limits.conf. </CODE></PRE> Mon, 23 Oct 2017 07:45:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-set-an-alert-for-max-thruput/m-p/321114#M59905 inventsekar 2017-10-23T07:45:12Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-set-an-alert-for-max-thruput/m-p/321115#M59906 <P>Hi<BR /> In Distributed Monitoring Console you can find a dashboard panel that list forwarder's connections.</P> <PRE><CODE>| inputlookup dmc_forwarder_assets | eval avg_tcp_kbps = if (status == "missing", "N/A", avg_tcp_kbps) | fields hostname status avg_tcp_kbps | where avg_tcp_kbps&gt;threeshold </CODE></PRE> <P>From this search you can find the Average kb/s and put a threeshold alert.</P> <P>Bye.<BR /> Giuseppe</P> Mon, 23 Oct 2017 07:53:59 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-set-an-alert-for-max-thruput/m-p/321115#M59906 gcusello 2017-10-23T07:53:59Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-set-an-alert-for-max-thruput/m-p/321116#M59907 <P>I have an example in this <A href="https://github.com/gjanders/SplunkAdmins/blob/master/default/savedsearches.conf">savedsearches.conf</A> from the <A href="https://github.com/gjanders/SplunkAdmins/">SplunkAdmins app</A> that I created. My search is similar to other answers but I have used:</P> <PRE><CODE>index=_internal "has reached maxKBps. As a result, data forwarding may be throttled" sourcetype=splunkd | stats count(_raw) by host as countPerHost | where countPerHost &gt; 1 </CODE></PRE> Tue, 24 Oct 2017 02:26:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-set-an-alert-for-max-thruput/m-p/321116#M59907 gjanders 2017-10-24T02:26:52Z