Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the number of universal forwarder to send and receive

xsstest
Communicator
‎07-27-2017 06:50 PM

I want to create an alert to reminde to remind me that the number of logs sent by forwarders is increasing dramatically.

For example:

12: 00-13: 00 The number of events sent by the UF is 5000 (To be exact, the average number of hours in 24 hours is about 5000)
13: 00-14: 00 The number of events sent by the UF is 30,000

Then I will think that this is an unusual behavior.

How should I do it?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎07-27-2017 07:03 PM

Check out the meta woot app.
https://splunkbase.splunk.com/app/2949/

It trends events/eps by host spurce and sourcetype as well as various other views.

makes it simple to build alerts on not only spikes in utilization, or missing data sources etc

- MattyMo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎07-27-2017 07:03 PM

Check out the meta woot app.
https://splunkbase.splunk.com/app/2949/

It trends events/eps by host spurce and sourcetype as well as various other views.

makes it simple to build alerts on not only spikes in utilization, or missing data sources etc

- MattyMo
0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎07-27-2017 08:12 PM

@mmodestino [Splunk] It looks like i need a storage, such as kvstore, but I don't have one here

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎07-27-2017 08:25 PM

not sure I follow. It can be installed on any search head. Probably best on the License Master or Monitoring Console.

Otherwise check the monitoring console > forwarders: Deployment > Status & Configuration table and the forwarder connection panel and build off these searches (open in search and have a look) for the volume the forwarder is sending and events per second

The mostly focus on (index=_internal sourcetype=splunkd group=tcpin_connections (connectionType=cooked OR connectionType=cookedSSL) fwdType=* guid=*)

alt text

- MattyMo
0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎07-27-2017 08:38 PM

@mmodestino

Hi, I installed this APP on the search header member, but the data are all 0. I see that it uses the inputlookup command,
Should I set something up first?

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎07-27-2017 08:47 PM

@mmodestino in my master node.I can see the information about the UF. But why does not APP have any data?

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎07-28-2017 05:15 AM

you need to enable one of meta woot!'s scheduled searches.

I generally use the 5 min one

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...