Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the number of universal forwarder to send and receive

xsstest
Communicator
‎07-27-2017 06:50 PM

I want to create an alert to reminde to remind me that the number of logs sent by forwarders is increasing dramatically.

For example:

12: 00-13: 00 The number of events sent by the UF is 5000 (To be exact, the average number of hours in 24 hours is about 5000)
13: 00-14: 00 The number of events sent by the UF is 30,000

Then I will think that this is an unusual behavior.

How should I do it?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎07-27-2017 07:03 PM

Check out the meta woot app.
https://splunkbase.splunk.com/app/2949/

It trends events/eps by host spurce and sourcetype as well as various other views.

makes it simple to build alerts on not only spikes in utilization, or missing data sources etc

- MattyMo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎07-27-2017 07:03 PM

Check out the meta woot app.
https://splunkbase.splunk.com/app/2949/

It trends events/eps by host spurce and sourcetype as well as various other views.

makes it simple to build alerts on not only spikes in utilization, or missing data sources etc

- MattyMo
0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎07-27-2017 08:12 PM

@mmodestino [Splunk] It looks like i need a storage, such as kvstore, but I don't have one here

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎07-27-2017 08:25 PM

not sure I follow. It can be installed on any search head. Probably best on the License Master or Monitoring Console.

Otherwise check the monitoring console > forwarders: Deployment > Status & Configuration table and the forwarder connection panel and build off these searches (open in search and have a look) for the volume the forwarder is sending and events per second

The mostly focus on (index=_internal sourcetype=splunkd group=tcpin_connections (connectionType=cooked OR connectionType=cookedSSL) fwdType=* guid=*)

alt text

- MattyMo
0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎07-27-2017 08:38 PM

@mmodestino

Hi, I installed this APP on the search header member, but the data are all 0. I see that it uses the inputlookup command,
Should I set something up first?

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎07-27-2017 08:47 PM

@mmodestino in my master node.I can see the information about the UF. But why does not APP have any data?

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎07-28-2017 05:15 AM

you need to enable one of meta woot!'s scheduled searches.

I generally use the 5 min one

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...