topic Re: Log forwarding not every 30 seconds in Getting Data In

Log forwarding not every 30 seconds

bosseres — Mon, 01 Feb 2021 11:51:04 GMT

Hello Team,

As far as I know, forwarder must forward logs to indexer every 30 seconds.

I've reinstalled system and trying to configure it.

I opened 9997 port on indexer for receiving, and did ./splunk add forward-server ip and ./splunk add monitor /var/log

Logs collecting, it's alright, but not every 30 seconds, no errors in logs

what can cause this problem?

Re: Log forwarding not every 30 seconds

scelikok — Mon, 01 Feb 2021 13:47:27 GMT

Hi @bosseres,

Forwarders sends logs to indexers immediately, they do not wait 30 seconds. Maybe you are confusing with auto load balance period which is 30 seconds default. Since you have only one indexer this is not valid.

Any log file change in /var/log path should be immediately sent to indexer.

Re: Log forwarding not every 30 seconds

richgalloway — Mon, 01 Feb 2021 14:20:33 GMT

The default interval is 60 seconds. Look in $SPLUNK_HOME/etc/system/local to see the setting for /var/log and to change it, if desired. Remember to restart the forwarder if you change the setting.

Re: Log forwarding not every 30 seconds

bosseres — Mon, 01 Feb 2021 14:33:11 GMT

how can I set interval?

I put in inputs.conf but this not helped

[perfmon:///var/log]
interval = 30

Re: Log forwarding not every 30 seconds

bosseres — Mon, 01 Feb 2021 14:34:03 GMT

Yes forwarder is working, it sends data when some event occured, but I want configure to send data every 30 seconds, even if there are no events

Re: Log forwarding not every 30 seconds

richgalloway — Mon, 01 Feb 2021 15:17:02 GMT

Did you restart the forwarder after changing props.conf?

Re: Log forwarding not every 30 seconds

bosseres — Tue, 02 Feb 2021 07:17:41 GMT

Yes, I did, but i m not sure that i've changed parameter which I should

can you say what exactly should I change there? thank you

Re: Log forwarding not every 30 seconds

Anonymous — Tue, 02 Feb 2021 08:24:13 GMT

If there are no new events, what type of data would you like it to send?

Do you want to use it like a heartbeat to warn if a client is missing?

Re: Log forwarding not every 30 seconds

bosseres — Tue, 02 Feb 2021 09:02:45 GMT

Yes, I just study working with Splunk, and want to be sure that events are collecting

By the way, if I don't miss something, earlier my indexer got events every 30 seconds, thats why I want to return it

Re: Log forwarding not every 30 seconds

Anonymous — Tue, 02 Feb 2021 09:38:11 GMT

ah I understand.

When you have added a new input stanza, and restartet the service for it to load properly.
You nedd to restart the Universal Forwarder to make it reload the setting.

Are you using windows or Linux?

Every time Splunk boots or is restarted it is written the output into a splunkd.log file.
This could be checked with nano or notepad, depending on youre operativsystem.
If there is any problem during startup, perhaps an error in the input settings, it would be in there.

You recieved at a earlier stage a new event every 30 second, I would check those events and find out what type of info it is. Then I would check the file on the server that you got the event from and double cheeck that the file is updatet every 30 second.
Spluk dont make the logs, it is just gathering the logs. So iI think therefore maybe a application updatet the logfile every 30 sconds. But this you need to check manually.

Perhaps you could make a scheduled or cron job to update a txt file with a timestamp every 30 second just to make sure that everything is in order, for testing.

Best of luck