Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can we identify forwarders which are not connected to certain indexers?

ddrillic
Ultra Champion
‎08-26-2016 12:24 PM

The DMC shows us the following -

alt text

It shows the connected forwarders to the four indexers, the yellow line is actually two indexers one on top of the other.

How can we figure out which two hundred or so forwarders are not connected to the two newer indexers (the blue and purple) at the bottom of the chart?

Tags (2)
Preview file
34 KB
0 Karma
Reply

ddrillic
Ultra Champion
‎08-28-2016 05:12 PM

Jeff suggested -

-- You should be able to run a search on _internal for the last 24 hours looking for host whose count of splunk_server != 4.

0 Karma
Reply

rharrisssi
Path Finder
‎08-26-2016 12:28 PM

I know this isn't what you're asking, but having hundreds of forwarders going directly to your indexers is against best practice. The Heavy Forwarder role should be intercepting these messages from the UFs and such and then forwarding them to the indexers.

This also allows you to do some preprocessing with transforms and props that would otherwise take resources away from your indexers.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...