- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![xsstest xsstest](https://community.splunk.com/legacyfs/online/avatars/477280.jpg)
I want to create an alert to reminde to remind me that the number of logs sent by forwarders is increasing dramatically.
For example:
12: 00-13: 00 The number of events sent by the UF is 5000 (To be exact, the average number of hours in 24 hours is about 5000)
13: 00-14: 00 The number of events sent by the UF is 30,000
Then I will think that this is an unusual behavior.
How should I do it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![Splunk Employee Splunk Employee](/html/@F88B7774A2BF2E9108D79A067A92A581/rank_icons/employee-16.png)
Check out the meta woot app.
https://splunkbase.splunk.com/app/2949/
It trends events/eps by host spurce and sourcetype as well as various other views.
makes it simple to build alerts on not only spikes in utilization, or missing data sources etc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![Splunk Employee Splunk Employee](/html/@F88B7774A2BF2E9108D79A067A92A581/rank_icons/employee-16.png)
Check out the meta woot app.
https://splunkbase.splunk.com/app/2949/
It trends events/eps by host spurce and sourcetype as well as various other views.
makes it simple to build alerts on not only spikes in utilization, or missing data sources etc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![xsstest xsstest](https://community.splunk.com/legacyfs/online/avatars/477280.jpg)
@mmodestino [Splunk] It looks like i need a storage, such as kvstore, but I don't have one here
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![Splunk Employee Splunk Employee](/html/@F88B7774A2BF2E9108D79A067A92A581/rank_icons/employee-16.png)
not sure I follow. It can be installed on any search head. Probably best on the License Master or Monitoring Console.
Otherwise check the monitoring console > forwarders: Deployment > Status & Configuration table and the forwarder connection panel and build off these searches (open in search and have a look) for the volume the forwarder is sending and events per second
The mostly focus on (index=_internal sourcetype=splunkd group=tcpin_connections (connectionType=cooked OR connectionType=cookedSSL) fwdType=* guid=*)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![xsstest xsstest](https://community.splunk.com/legacyfs/online/avatars/477280.jpg)
@mmodestino
Hi, I installed this APP on the search header member, but the data are all 0. I see that it uses the inputlookup command,
Should I set something up first?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![xsstest xsstest](https://community.splunk.com/legacyfs/online/avatars/477280.jpg)
@mmodestino in my master node.I can see the information about the UF. But why does not APP have any data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![Splunk Employee Splunk Employee](/html/@F88B7774A2BF2E9108D79A067A92A581/rank_icons/employee-16.png)
you need to enable one of meta woot!'s scheduled searches.
I generally use the 5 min one
![](/skins/images/FE4825B2128CA5F641629E007E333890/responsive_peak/images/icon_anonymous_message.png)