Deployment Architecture

Deployment Server Total Downloads in the Last Hour

Path Finder

I've recently set up a deployment server with about 100 clients phoning home, per the default setting. The deployment server contains about 20 deployment apps which are not updated often. However, each time I go to the Forwarder Management page, the statistics at the top will show something like "281 Total Downloads in the last 1 hour". Can someone explain how I should be interpreting this count? The deployment apps are not being updated so clients are not downloading any new changes. Does the act of a client simply phoning home constitute a "download"? Any insight is appreciated.


index=_internal source=*splunkd.log host=YourDeploymentServerHere component=PackageDownloadRestHandler "Download complete"
| stats count by app

0 Karma

Super Champion


Any solution for this one?

If this helps, give a like below.
0 Karma

Path Finder

Nope. I've given up and chalked this up to another piece of software that doesn't work as advertised since I've done nothing more than follow the basic installation instructions.

0 Karma

Revered Legend

The phone home doesn't count as download. I would check the splunkd.log of the your deployment server to see what all clients/apps are being download, you can use this query for it.

index=_internal source=*splunkd.log host=YourDeploymentServerHere action=download
0 Karma

Path Finder

Thanks for the suggestion, though the results of that query make this even more puzzling. It returns 0 results for today, even though the Forwarder Management page continues to report "281 Total Downloads in the last 1 hour". In fact, the most recent "Download" result is from 2 days ago. And if I run the against the last 7 days, it only returns 165 results, all of the following form:

03-20-2017 18:10:21.156 +0000 INFO  ClientSessionsManager - Updating record for sc=Servers app=Splunk_TA_nix_Addon: action=Download result=Ok checksum=3412605308407739600

Seems like that count is not updating properly.

0 Karma


You are not alone, I have been plagued by this problem for a very long time. Only it is far worse. I have ~20k hosts, and it will report 80k+ downloads in the last hour. Which seems to be bogging down the page and making it almost unusable.

I have a few downloads in any given time period because we are pushed to workstations and VDI and they are always putting on new workstations onto the network and VDI hosts are always spawning and being destroyed. But never anywhere close to the numbers reported.

0 Karma

Where you able to troubleshoot the issues for highest number of downloads ?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!