Deployment Architecture

How to get the number of universal forwarder to send and receive

xsstest
Communicator

I want to create an alert to reminde to remind me that the number of logs sent by forwarders is increasing dramatically.

For example:

12: 00-13: 00 The number of events sent by the UF is 5000 (To be exact, the average number of hours in 24 hours is about 5000)
13: 00-14: 00 The number of events sent by the UF is 30,000

Then I will think that this is an unusual behavior.

How should I do it?

Tags (1)
0 Karma
1 Solution

mattymo
Splunk Employee
Splunk Employee

Check out the meta woot app.
https://splunkbase.splunk.com/app/2949/

It trends events/eps by host spurce and sourcetype as well as various other views.

makes it simple to build alerts on not only spikes in utilization, or missing data sources etc

- MattyMo

View solution in original post

0 Karma

mattymo
Splunk Employee
Splunk Employee

Check out the meta woot app.
https://splunkbase.splunk.com/app/2949/

It trends events/eps by host spurce and sourcetype as well as various other views.

makes it simple to build alerts on not only spikes in utilization, or missing data sources etc

- MattyMo
0 Karma

xsstest
Communicator

@mmodestino [Splunk] It looks like i need a storage, such as kvstore, but I don't have one here

0 Karma

mattymo
Splunk Employee
Splunk Employee

not sure I follow. It can be installed on any search head. Probably best on the License Master or Monitoring Console.

Otherwise check the monitoring console > forwarders: Deployment > Status & Configuration table and the forwarder connection panel and build off these searches (open in search and have a look) for the volume the forwarder is sending and events per second

The mostly focus on (index=_internal sourcetype=splunkd group=tcpin_connections (connectionType=cooked OR connectionType=cookedSSL) fwdType=* guid=*)

alt text

- MattyMo
0 Karma

xsstest
Communicator

@mmodestino

Hi, I installed this APP on the search header member, but the data are all 0. I see that it uses the inputlookup command,
Should I set something up first?

0 Karma

xsstest
Communicator

@mmodestino in my master node.I can see the information about the UF. But why does not APP have any data?

0 Karma

mattymo
Splunk Employee
Splunk Employee

you need to enable one of meta woot!'s scheduled searches.

I generally use the 5 min one

- MattyMo
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...