Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is forwarder inactive and how can I check?

JGP
Explorer
‎04-21-2023 02:43 AM

If there is no file update for a quite long time and later then is update in the file, then only after forwarder service restarts then it pushes the new data. Is forwarder is inactive as there was no update since. 

what is default duration for forwarder being inactive? any suggestion or is it documented

Labels (2)
Labels
0 Karma
Reply

JGP
Explorer
‎04-21-2023 08:42 AM

@woodcock , forwarder service was running and after service restart only data started flowing

0 Karma
Reply

woodcock
Esteemed Legend
‎04-21-2023 07:25 AM

This is not at all normal UF behavior so I suspect that the UF was not running and the "restart" was actually a "start".

Reply

JGP
Explorer
‎04-21-2023 03:08 AM

hi @gcusello 

thanks for quick response.

So forwarder will never be inactive if there is no update in the file say for more than 20/30days and still will be able to see internal logs and if the re is an update after that time it should data without service restart

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-21-2023 03:38 AM

Hi @JGP,

yes, Universal Forwarder continously sends its internal logs that you can check, even if there isn't any data to forward.

Ciao.

Giuseppe

0 Karma
Reply

JGP
Explorer
‎04-21-2023 02:59 AM

Yes, understands that it will wait for new data. But if there is no new data for a quite a long time so will forwarder be inactive and stop internal logs as well. So if there new data it is not flowing currently and after service restarts able to see data. What could be reason for this?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-21-2023 03:00 AM

Hi @JGP,

Forwarder's internal logs should never stop, if there's a pause there could be some other issue.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-21-2023 02:48 AM

Hi @JGP,

Forwarders are always waiting for data to read and forward.

If you don't receive data is because there isn't any new data.

You can check if the Forwarder us up and running checking the the presence of Splunk internal logs:

index=_internal host=your_forwarder

I always create an alert that make this check because if a Forwarder is down you're blind.

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...