Getting Data In

How can I find out how often the forwarders are sending their logs to indexers?

rodneymitch80
Explorer

How can I find out how often the forwarders are sending their logs to indexers? How to search in splunk enterprise

 

Thanks,

RPM

Labels (1)
Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rodneymitch80,

the first check to perform is surely the one hinted by @richgalloway ,

then you could run a search to understand the delay between timestamp and indextime:

index=*
| eval delta=_indextime-_time
| stats max(delta) AS max min(delta) AS min avg(delta) AS avg BY host

or

index=*
| bin span=1h _indextime
| eval delta=_indextime-_time, indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")
| stats max(delta) AS max min(delta) AS min avg(delta) AS avg BY host indextime

Ciao.

Giuseppe

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Check inputs.conf. 

If the stanza name begins with monitor:// or WinEventLog:// then the log is forwarded whenever new data is detected (almost immediately).  The UF's own logs are processed by a monitor stanza.

if the stanza name begins with script:// then data will be forwarded according to the interval= setting (default is 60 seconds).

There are other stanza types, but these are most common for forwarding logs.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...