Getting Data In

Universal forwarder turned on performance monitoring on our 4.1.7 indexer

I-Man
Communicator

I was testing the Universal Forwarder on my local machine and sent the local eventlogs and perfmon stats to our 4.1.7 indexer. After a little troubleshooting getting the data to the right index I observed the logs fine. As it worked I turned it off the Universal Forwarder and moved on.

A few days later I noticed a major increase in logs from our indexer. It appears that the Universal Forwarder turned on the CPUTime, Memory, LocalProcess, etc. checks on the indexer itself. In the GUI these are found in Manager\Data Inputs\WMI Collection. I turned these checks off as they are unnecessary however I'd like to know if anyone else had this problem or knows why this happened. Just putting this out there as it seems odd.

Thanks, I-Man

Tags (1)
0 Karma
1 Solution

proctorgeorge
Path Finder

Hey I-Man,

Are you using a Deployment Server/Client Setup?

The UniversalForwarder App could have gotten inadvertently turned on for the Indexer. The configuration files for the App would be found at:

%SPLUNK_HOME%\etc\apps\SplunkUniversalForwarder

with the enabled/disabled switch located in the app.conf file in the .\default\ directory.

If you are not using the Deployment Server feature and there is not a SplunkUniversalForwarder App in the Indexer's App directory, then yes that is very odd.

View solution in original post

0 Karma

proctorgeorge
Path Finder

Hey I-Man,

Are you using a Deployment Server/Client Setup?

The UniversalForwarder App could have gotten inadvertently turned on for the Indexer. The configuration files for the App would be found at:

%SPLUNK_HOME%\etc\apps\SplunkUniversalForwarder

with the enabled/disabled switch located in the app.conf file in the .\default\ directory.

If you are not using the Deployment Server feature and there is not a SplunkUniversalForwarder App in the Indexer's App directory, then yes that is very odd.

0 Karma

I-Man
Communicator

Thanks for the response. I do not have the SplunkUniversalForwarder App installed however I was testing a Deployment Server so that could have possible changed something. I don't recall pointing to the deployment server to the indexer as i was just testing. Very odd...

Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...