How can I find out how often the forwarders are se...

rodneymitch80 · ‎02-22-2023

How can I find out how often the forwarders are sending their logs to indexers? How to search in splunk enterprise

Thanks,

RPM

gcusello · ‎02-22-2023

the first check to perform is surely the one hinted by @richgalloway ,

then you could run a search to understand the delay between timestamp and indextime:

index=*
| eval delta=_indextime-_time
| stats max(delta) AS max min(delta) AS min avg(delta) AS avg BY host

or

index=*
| bin span=1h _indextime
| eval delta=_indextime-_time, indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")
| stats max(delta) AS max min(delta) AS min avg(delta) AS avg BY host indextime

Ciao.

Giuseppe

richgalloway · ‎02-22-2023

Check inputs.conf.

If the stanza name begins with monitor:// or WinEventLog:// then the log is forwarded whenever new data is detected (almost immediately). The UF's own logs are processed by a monitor stanza.

if the stanza name begins with script:// then data will be forwarded according to the interval= setting (default is 60 seconds).

There are other stanza types, but these are most common for forwarding logs.

---
If this reply helps you, Karma would be appreciated.

How can I find out how often the forwarders are sending their logs to indexers?

universal forwarder

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability