Re: DMC and dual purpose Splunk server

pwilliams_splun · ‎09-12-2017

I have an indexer and universal forwarder on the same server. The reason for this is that the connection from the indexer to an upstream indexer loses connectivity due to the type of connection and, per the Splunk product team, the indexer will not only stop forwarding when the connection is lost, but also stop indexing. This has been confirmed with the product team as expected behavior per design.

The DMC is picking up the indexer and all other forwarders, but not the forwarder on the same instance as the indexer. The UF's internal logs are, of course, being ingested. Is DMC unable to see the instances individually? Is there any way to configure the UF or the DMC to see this invisible forwarder?

gjanders · ‎09-13-2017

The monitoring console monitors any search peer, a search peer can be any Splunk enterprise instance.

A universal forwarder cannot be a search peer, however you can enable Forwarder Monitoring this will collect some data on the universal forwarders. Monitoring a universal forwarder through this console is not the same as monitoring an enterprise instance.

There are panels (under Forwarders in 6.5.2) of the monitoring console that relate to universal forwarders that you can use once you enable the forwarder monitoring...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

DMC and dual purpose Splunk server

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!