https://community.splunk.com/t5/Splunk-Search/How-can-I-find-forwarders-that-do-not-send-data-to-all-indexers/m-p/216891#M176601 <P>Hi</P> <P>is there an easy way to find forwarders that are not sending data to all available indexers? We see, that some indexers have more data than others and we would like to find out why, so we can take countermeasures and increase the overall performance of our Splunk installation.</P> <P>Regards<BR /> Chris</P> Thu, 29 Sep 2016 06:24:28 GMT chris 2016-09-29T06:24:28Z https://community.splunk.com/t5/Splunk-Search/How-can-I-find-forwarders-that-do-not-send-data-to-all-indexers/m-p/216891#M176601 <P>Hi</P> <P>is there an easy way to find forwarders that are not sending data to all available indexers? We see, that some indexers have more data than others and we would like to find out why, so we can take countermeasures and increase the overall performance of our Splunk installation.</P> <P>Regards<BR /> Chris</P> Thu, 29 Sep 2016 06:24:28 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-find-forwarders-that-do-not-send-data-to-all-indexers/m-p/216891#M176601 chris 2016-09-29T06:24:28Z https://community.splunk.com/t5/Splunk-Search/How-can-I-find-forwarders-that-do-not-send-data-to-all-indexers/m-p/216892#M176602 <P>Insert your servers in a lookup with column header host and the run this search<BR /> <EM>| inputlookup perimeter.csv | eval count=0 | append [ search index=_internal |stats count by host ] | stats sum(count) AS Total | where Total=0</EM><BR /> In this way you can find servers of your lookup that didn't connected.<BR /> Beware to the name of the column in lookup: must be host or you have to rename it before "append" command.<BR /> If you want, you can create a Dashboard to display the server status, to do this follow the indication in <A href="https://answers.splunk.com/answers/454346/splunk-dashboard-widget-to-display-the-state-of-se.html">https://answers.splunk.com/answers/454346/splunk-dashboard-widget-to-display-the-state-of-se.html</A>.<BR /> Bye.<BR /> Giuseppe </P> Thu, 29 Sep 2016 08:18:05 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-find-forwarders-that-do-not-send-data-to-all-indexers/m-p/216892#M176602 gcusello 2016-09-29T08:18:05Z https://community.splunk.com/t5/Splunk-Search/How-can-I-find-forwarders-that-do-not-send-data-to-all-indexers/m-p/216893#M176603 <P>The following query should give you a list of indexers not receiving data from all your forwarders which I think it might help as a start:</P> <PRE><CODE>index=_internal sourcetype=splunkd source=*metrics.log group=tcpin_connections (connectionType=cooked OR connectionType=cookedSSL) [ | dbinspect index=* | stats count by splunk_server | fields - count | rename splunk_server as host ] | stats values(hostname) as Forwarders, dc(hostname) as Count by host | rename host as Indexer | eventstats max(Count) as Max_Count | where Count &lt; Max_Count </CODE></PRE> <P>If you swap host with hostname then what you have is a list of forwarder not sending to the maximum number of indexers available in your deployment:</P> <PRE><CODE>index=_internal sourcetype=splunkd source=*metrics.log group=tcpin_connections (connectionType=cooked OR connectionType=cookedSSL) [ | dbinspect index=* | stats count by splunk_server | fields - count | rename splunk_server as host ] | stats values(host) as Indexers, dc(host) as Count by hostname | rename hostname as Forwarder | eventstats max(Count) as Max_Count | where Count &lt; Max_Count </CODE></PRE> <P>Hope that helps.</P> <P>Regards,<BR /> J</P> Thu, 29 Sep 2016 10:53:04 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-find-forwarders-that-do-not-send-data-to-all-indexers/m-p/216893#M176603 javiergn 2016-09-29T10:53:04Z