Quick question regarding metrics.log and a heavy forwarder (HF). I'm using a dashboard to measure the thruput on a few HF's and was curious if using
metrics.log group=thruput name=thruput adds both input and output thruput to the final result ?
Here’s a sample query that you can run on each indexer instance to get a report on thruput by each forwarding entity:
index=_internal metrics "group=tcpin_connections" | timechart span=30s avg(tcp_bps) by sourceHost
As per the thread : https://answers.splunk.com/answers/377028/how-to-configure-dmc-for-heavy-forwarder-monitorin.html an idea is to mark the heavyforwarder as an "indexer" in the DMC and DMC will all do it for you