I've recently set up a deployment server with about 100 clients phoning home, per the default setting. The deployment server contains about 20 deployment apps which are not updated often. However, each time I go to the Forwarder Management page, the statistics at the top will show something like "281 Total Downloads in the last 1 hour". Can someone explain how I should be interpreting this count? The deployment apps are not being updated so clients are not downloading any new changes. Does the act of a client simply phoning home constitute a "download"? Any insight is appreciated.
The phone home doesn't count as download. I would check the splunkd.log of the your deployment server to see what all clients/apps are being download, you can use this query for it.
index=_internal source=*splunkd.log host=YourDeploymentServerHere action=download
Thanks for the suggestion, though the results of that query make this even more puzzling. It returns 0 results for today, even though the Forwarder Management page continues to report "281 Total Downloads in the last 1 hour". In fact, the most recent "Download" result is from 2 days ago. And if I run the against the last 7 days, it only returns 165 results, all of the following form:
03-20-2017 18:10:21.156 +0000 INFO ClientSessionsManager - ip=xxx.xxx.xxx.xxx name=server.company.com Updating record for sc=Servers app=Splunk_TA_nix_Addon: action=Download result=Ok checksum=3412605308407739600
Seems like that count is not updating properly.
You are not alone, I have been plagued by this problem for a very long time. Only it is far worse. I have ~20k hosts, and it will report 80k+ downloads in the last hour. Which seems to be bogging down the page and making it almost unusable.
I have a few downloads in any given time period because we are pushed to workstations and VDI and they are always putting on new workstations onto the network and VDI hosts are always spawning and being destroyed. But never anywhere close to the numbers reported.