Forwarders hosts are also being displayed as consu...

rakesh_498115 · ‎05-30-2013

Hi

I have used the following query to find indexer host wise mb consumed in indexeing.

index=_internal source=*metrics.log group=per_index_thruput series="Myindex" | eval MB=kb/1024 | stats sum(MB) by host | addcoltotals

but in this list i could see my forwarders hosts are also being displayed...and the Myindex is having almost double size of the data... can you pls help ?? wat needs to be checked to solve this problem ?

grijhwani · ‎07-04-2013

Are your forwarders set to index AND forward, or forward only?

Alternatively, is there some mechanism whereby you could be capturing the same information twice, or forwarding it to multiple indexers? And what version Splunk are you running? Older versions will see the same data directed at multiple indexers as separately accountable.

rakesh_498115 · ‎07-10-2013

my fowaders are meant for fwd only..all are UF's

splunk version 4.3.2
fwd 5.0

rakesh_498115 · ‎07-02-2013

any update on this pls ??

Forwarders hosts are also being displayed as consumed data

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation