Missing per_*_thruput metrics on 9.3.x Universal f...

hrawat_splunk · ‎10-25-2024

Apply following workaround in default-mode.conf

Additionally you can also push this change via DS push across thousands of universal forwarders.

Add index_thruput in the list of disabled processors.

Add following line as is in default-mode.conf.

#Turn off a processor
[pipeline:indexerPipe]
disabled_processors= index_thruput, indexer, indexandforward, latencytracker, diskusage, signing,tcp-output-generic-processor, syslog-output-generic-processor, http-output-generic-processor, stream-output-processor, s2soverhttpoutput, destination-key-processor

NOTE: PLEASE DON'T APPLY ON HF/SH/IDX/CM/DS. You want to use different app( not SplunkUniversalForwarder app) to push the change.

hrawat_splunk · ‎10-27-2024

Applying on non-UF (e.g HF) will break thruput metrics. Added warning to post. Thanks for asking great question.

gjanders · ‎10-27-2024

Thanks for the information, I assume the target is to fix this in a future UF 9.3.x release?

Furthermore, would you happen to know what would happen if the setting was accidentally applied on a HF?

Clients of our deployment server will sometimes run a Splunk enterprise version instead of a UF so I suspect we will need to be careful...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

hrawat_splunk · ‎10-27-2024

https://community.splunk.com/t5/Getting-Data-In/Missing-per-thruput-metrics-on-9-3-x-Universal-forwa...

Missing per_*_thruput metrics on 9.3.x Universal forwarders.

universal forwarder

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?