Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the number of universal forwarder to send and receive

xsstest
Communicator
‎07-27-2017 06:50 PM

I want to create an alert to reminde to remind me that the number of logs sent by forwarders is increasing dramatically.

For example:

12: 00-13: 00 The number of events sent by the UF is 5000 (To be exact, the average number of hours in 24 hours is about 5000)
13: 00-14: 00 The number of events sent by the UF is 30,000

Then I will think that this is an unusual behavior.

How should I do it?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎07-27-2017 07:03 PM

Check out the meta woot app.
https://splunkbase.splunk.com/app/2949/

It trends events/eps by host spurce and sourcetype as well as various other views.

makes it simple to build alerts on not only spikes in utilization, or missing data sources etc

- MattyMo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎07-27-2017 07:03 PM

Check out the meta woot app.
https://splunkbase.splunk.com/app/2949/

It trends events/eps by host spurce and sourcetype as well as various other views.

makes it simple to build alerts on not only spikes in utilization, or missing data sources etc

- MattyMo
0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎07-27-2017 08:12 PM

@mmodestino [Splunk] It looks like i need a storage, such as kvstore, but I don't have one here

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎07-27-2017 08:25 PM

not sure I follow. It can be installed on any search head. Probably best on the License Master or Monitoring Console.

Otherwise check the monitoring console > forwarders: Deployment > Status & Configuration table and the forwarder connection panel and build off these searches (open in search and have a look) for the volume the forwarder is sending and events per second

The mostly focus on (index=_internal sourcetype=splunkd group=tcpin_connections (connectionType=cooked OR connectionType=cookedSSL) fwdType=* guid=*)

alt text

- MattyMo
0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎07-27-2017 08:38 PM

@mmodestino

Hi, I installed this APP on the search header member, but the data are all 0. I see that it uses the inputlookup command,
Should I set something up first?

0 Karma
Reply
Solved! Jump to solution

xsstest
Communicator
‎07-27-2017 08:47 PM

@mmodestino in my master node.I can see the information about the UF. But why does not APP have any data?

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎07-28-2017 05:15 AM

you need to enable one of meta woot!'s scheduled searches.

I generally use the 5 min one

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...