Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you check transfer speed from universal forwarder to indexer by event or file?

human96
Communicator
‎02-22-2022 02:25 AM

how to check the transfer speed from UF to indexer ?

 

is it possible to check by events or source ?

Labels (2)
Labels
0 Karma
Reply

human96
Communicator
‎02-27-2022 09:21 PM

From my prospective , i believe  the indexing speed by source, sourcetype, host, or index can be calculated  using the below SPL or the search query.

index="_internal" source="*metrics.log" per_source_thruput series=ps | eval MB=kb/1024 | timechart span=5m sum(MB) by series

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-27-2022 11:33 PM

Hi @human96,

probably your search is correct, even if i don't exactly understand what't your Use Case, what's series?

and generally, why invent hot water?

in the Monitorinbg Console you have all the searches to calculate all the needed metrics (indexing speed, license consuption, etc...).

I'd prefer a standard solution, but you could also use your search.

Tell me if I can help you more.

Ciao and happy splunking.

Giiuseppe

P.,S.: Karma Points are appreciated 😉

Reply

gcusello
SplunkTrust
SplunkTrust
‎02-22-2022 03:01 AM

Hi @human96,

using the Monitoring Console, you have all the information about data logs tranferred from each UF to Indexers.

[Settings -- Monitoring Console -- Forwarders]

If you don't have, you have to configure Monitoring Console to monitor UFs in [Settings -- Monitoring Console -- Settings -- Forwarders Monitoring Setup].

Ciao.

Giuseppe

Reply

human96
Communicator
‎02-22-2022 04:01 AM

thanks for the quick response @gcusello , really appreciate this.
can we also check  by event or file (source)?

Will really appreciate if you could attach the splunk documentation.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-22-2022 04:32 AM

Hi @human96,

in the Monitoring Console, you have the traffic for each client sending logs.

If you want to knopw the weight of each file, you should count the chars of earch source.

You can find documentation about Monitoring Console at https://docs.splunk.com/Documentation/Splunk/8.2.4/DMC/DMCoverview

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...