Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

forwarder troubleshoot dashboard

Naa_Win
Path Finder
‎12-30-2024 07:28 PM

Hello,

I’m working on creating a Splunk troubleshooting Dashboard for our internal team, who we are new to Splunk, to troubleshoot forwarder issues—specifically cases where no data is being received. I’d like to know the possible ways to troubleshoot forwarders when data is missing or for other related issues. Are there any existing dashboards I could use as a reference? also, what are the key metrics and internal index REST calls that I should focus on to cover all aspects of forwarder troubleshooting? 

#forwarder #troubleshoot #dashboard

Labels (1)
Labels
Tags (1)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-31-2024 01:02 AM

Hi

here is one conf talk, How to find ingesting issues https://conf.splunk.com/files/2019/slides/FN1570.pdf.

There are many apps in splunkbase which helps you to find that kind of issues.

Also there are some conf presentations about this, but I cannot found those now 😞

r. Ismo

Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-08-2025 11:55 AM
Here is the other one https://conf.splunk.com/files/2021/slides/PLA1410C.pdf
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-30-2024 11:44 PM

Hi @Naa_Win ,

in all my projects I create a custom app containing dashboards to monitor infrastrcuture, with special attention to:

  • fissing data sources,
  • missing hosts,
  • queues issues.

Ciao.

Giuseppe

0 Karma
Reply

Naa_Win
Path Finder
‎01-03-2025 06:35 AM

Hello @gcusello 

Thanks for the reply, is that possible to share the app info or share the source code of the dashboards ?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-04-2025 01:05 AM

Hi @Naa_Win ,

the dashboards depend on what you need:

if you need to see the hosts that sent logs in the last 30 days but not in the last hour, you can run:

| tstats count WHERE index=_internal earliest=-30d latest=now BY _time host
| where _time<now()-3600
| stats latest(_time) AS _time BY host

Then you can display the blocked queues and the status of queues using the searches that I shared at https://community.splunk.com/t5/Getting-Data-In/How-do-we-know-whether-typing-queues-are-blocked-or-...

and so on.

As I said they depend on what you need to display.

Ciao.

Giuseppe

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎12-30-2024 09:19 PM

There are few stuff that will be useful:

  • You can use Monitoring Console's alert and dashboard
    • Dashboard -> Splunk Settings > Monitoring Console > Forwarders: Deployment
      • If setup has not done, then do the setup first (it will give you link to setup)
      • Alert -> Splunk Settings > Searches Reports & Alerts
        • Select App as Monitoring Console
        • Select Owner as All
        • And search for Missing Forwarder
        • Enable the alert -> "DMC Alert - Missing forwarders" and add your email to receive alerts on the email

There is one more search you can run to see what data forwarder is sending:

| tstats count where index=* host="<forwarder-host-name>" by index, sourcetype

I hope this helps!!! Kindly upvote!!!

0 Karma
Reply

Naa_Win
Path Finder
‎01-03-2025 06:38 AM

Hello @VatsalJagani 

Thanks for the info, Yes we have those DMC enabled but the problem is as we are new to Splunk we had given only limited access for now to SH. So we wanted to create some dashboards to look with in the internal logs to detect the issues. I would like to start with the Universal Forwarder first.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎01-03-2025 07:35 AM

That's why I suggested to look into DMC which has many searches. If you write those searches yourself it will take a lot of time. DMC will give those pre-built searches.

 

Now, if you don't have access to DMC in your environment, you can just install Splunk on your local laptop and use that to get searches.

 

To get the searches, you can open any panel in any panel, by clicking on the bottom-left "Open in search".

 

I hope this helps!!!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...