Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I identity forwarder data rate and index data rate (to identify a lag and prioritize logs)?

chintan_shah
Path Finder
‎10-06-2017 11:09 AM

Hi,
Is there any way where we can identify how much data the forwarder is sending and how much data is being indexed in real-time?
The problem is that I have a single forwarder that is sending data to a single indexer and its sending multiple logs i.e. 50 monitored files with different indexes. I am receiving data from a few indexes in real time whereas for some indexes I am having a lag, so I want to remove the lag and if possible give higher preferences to some logs file.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-06-2017 12:20 PM

For forwarder lag, start to look at the metrics.log on the forwarder, if you see that it is hitting a plateau of kbps speed, it may be that you are hitting the default thuput limit.
see this article
http://docs.splunk.com/Documentation/Splunk/7.0.0/Troubleshooting/Troubleshootingeventsindexingdelay...

Also look at the timestamp, maybe is it a timezone issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...