Getting Data In

Log forwarding not every 30 seconds

bosseres
Contributor

Hello Team,

As far as I know, forwarder must forward logs to indexer every 30 seconds.

I've reinstalled system and trying to configure it.

I opened 9997 port on indexer for receiving, and did ./splunk add forward-server ip and ./splunk add monitor /var/log

Logs collecting, it's alright, but not every 30 seconds, no errors in logs

what can cause this problem?

Labels (1)
0 Karma
1 Solution

Anonymous
Not applicable

ah I understand. 

When you have added a new input stanza, and restartet the service for it to load properly.
You nedd to restart the Universal Forwarder to make it reload the setting.

Are you using windows or Linux?


Every time Splunk boots or is restarted it is written the output into a splunkd.log file.
This could be checked with nano or notepad, depending on youre operativsystem. 
If there is any problem during startup, perhaps an error in the input settings, it would be in there.

 

You recieved at a earlier stage a new event every 30 second, I would check those events and find out what type of info it is.  Then I would check the file on the server that you got the event from and double cheeck that the file is updatet every 30 second. 
Spluk dont make the logs, it is just gathering the logs. So iI think therefore maybe a application updatet the logfile every 30 sconds.  But this you need to check manually. 

Perhaps you could make a scheduled or cron job to update a txt file with a timestamp every 30 second just to make sure that everything is in order, for testing. 

 

Best of luck

View solution in original post

Anonymous
Not applicable

ah I understand. 

When you have added a new input stanza, and restartet the service for it to load properly.
You nedd to restart the Universal Forwarder to make it reload the setting.

Are you using windows or Linux?


Every time Splunk boots or is restarted it is written the output into a splunkd.log file.
This could be checked with nano or notepad, depending on youre operativsystem. 
If there is any problem during startup, perhaps an error in the input settings, it would be in there.

 

You recieved at a earlier stage a new event every 30 second, I would check those events and find out what type of info it is.  Then I would check the file on the server that you got the event from and double cheeck that the file is updatet every 30 second. 
Spluk dont make the logs, it is just gathering the logs. So iI think therefore maybe a application updatet the logfile every 30 sconds.  But this you need to check manually. 

Perhaps you could make a scheduled or cron job to update a txt file with a timestamp every 30 second just to make sure that everything is in order, for testing. 

 

Best of luck

Anonymous
Not applicable

If there are no new events, what type of data would you like it to send?

 

Do you want to use it like a heartbeat to warn if a client is missing?

 

bosseres
Contributor

Yes, I just study working with Splunk, and want to be sure that events are collecting

By the way, if I don't miss something, earlier my indexer got events every 30 seconds, thats why I want to return it

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The default interval is 60 seconds.  Look in $SPLUNK_HOME/etc/system/local to see the setting for /var/log and to change it, if desired.  Remember to restart the forwarder if you change the setting.

---
If this reply helps you, Karma would be appreciated.

bosseres
Contributor

how can I set interval?

I put in inputs.conf but this not helped

[perfmon:///var/log]
interval = 30

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Did you restart the forwarder after changing props.conf?

---
If this reply helps you, Karma would be appreciated.

bosseres
Contributor

Yes, I did, but i m not sure that i've changed parameter which I should

can you say what exactly should I change there? thank you

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @bosseres,

Forwarders sends logs to indexers immediately, they do not wait 30 seconds. Maybe you are confusing with auto load balance period which is 30 seconds default. Since you have only one indexer this is not valid.

Any log file change in /var/log path should be immediately sent to indexer.

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

bosseres
Contributor

Yes forwarder is working, it sends data when some event occured, but I want configure to send data every 30 seconds, even if there are no events

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...