Deployment Architecture

How to get the number of universal forwarder to send and receive

xsstest
Communicator

I want to create an alert to reminde to remind me that the number of logs sent by forwarders is increasing dramatically.

For example:

12: 00-13: 00 The number of events sent by the UF is 5000 (To be exact, the average number of hours in 24 hours is about 5000)
13: 00-14: 00 The number of events sent by the UF is 30,000

Then I will think that this is an unusual behavior.

How should I do it?

Tags (1)
0 Karma
1 Solution

mattymo
Splunk Employee
Splunk Employee

Check out the meta woot app.
https://splunkbase.splunk.com/app/2949/

It trends events/eps by host spurce and sourcetype as well as various other views.

makes it simple to build alerts on not only spikes in utilization, or missing data sources etc

- MattyMo

View solution in original post

0 Karma

mattymo
Splunk Employee
Splunk Employee

Check out the meta woot app.
https://splunkbase.splunk.com/app/2949/

It trends events/eps by host spurce and sourcetype as well as various other views.

makes it simple to build alerts on not only spikes in utilization, or missing data sources etc

- MattyMo
0 Karma

xsstest
Communicator

@mmodestino [Splunk] It looks like i need a storage, such as kvstore, but I don't have one here

0 Karma

mattymo
Splunk Employee
Splunk Employee

not sure I follow. It can be installed on any search head. Probably best on the License Master or Monitoring Console.

Otherwise check the monitoring console > forwarders: Deployment > Status & Configuration table and the forwarder connection panel and build off these searches (open in search and have a look) for the volume the forwarder is sending and events per second

The mostly focus on (index=_internal sourcetype=splunkd group=tcpin_connections (connectionType=cooked OR connectionType=cookedSSL) fwdType=* guid=*)

alt text

- MattyMo
0 Karma

xsstest
Communicator

@mmodestino

Hi, I installed this APP on the search header member, but the data are all 0. I see that it uses the inputlookup command,
Should I set something up first?

0 Karma

xsstest
Communicator

@mmodestino in my master node.I can see the information about the UF. But why does not APP have any data?

0 Karma

mattymo
Splunk Employee
Splunk Employee

you need to enable one of meta woot!'s scheduled searches.

I generally use the 5 min one

- MattyMo
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...