Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can we identify forwarders which are not connected to certain indexers?

ddrillic
Ultra Champion
‎08-26-2016 12:24 PM

The DMC shows us the following -

alt text

It shows the connected forwarders to the four indexers, the yellow line is actually two indexers one on top of the other.

How can we figure out which two hundred or so forwarders are not connected to the two newer indexers (the blue and purple) at the bottom of the chart?

Tags (2)
Preview file
1 KB
0 Karma
Reply

ddrillic
Ultra Champion
‎08-28-2016 05:12 PM

Jeff suggested -

-- You should be able to run a search on _internal for the last 24 hours looking for host whose count of splunk_server != 4.

0 Karma
Reply

rharrisssi
Path Finder
‎08-26-2016 12:28 PM

I know this isn't what you're asking, but having hundreds of forwarders going directly to your indexers is against best practice. The Heavy Forwarder role should be intercepting these messages from the UFs and such and then forwarding them to the indexers.

This also allows you to do some preprocessing with transforms and props that would otherwise take resources away from your indexers.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...