Monitoring Splunk

Trouble-shooting events forwarded from a heavy forwarder.



Are there searches or any log files that will tell me what is being forwarded from my heavy forwarder? 

I have a multi site, clustered splunk environment that ingests all its own personal logs first but then sends all of the data to a third party via a heavy forwarder and data diode. I do not have access to the data once they have been sent from the HF so i cannot assess what has been sent. 

Are there any splunk techniques, searches, log files i can view from my heavy forwarder to determine what data have been sent to the data diode? 

I can provide config files if required. 

Labels (3)
Tags (1)
0 Karma


One thing what you could try is adding that HF as indexer on you MC. Then it could shows some information what it has done e.g. what logs it has managed? This is nice way to see e.g. HEC statistic on HF. There is already item for thi (add HF as own type to MC or something similar) on

r. Ismo

0 Karma

Ultra Champion

Hi @willsy  try this search.. 

index=_internal sourcetype=splunkd group=per_host_thruput host=<HF-Name>


index=_internal sourcetype=splunkd group=per_host_thruput 

then you can click host field on left side field selector, and select the HF manually. 

0 Karma


Hi @inventsekar what does that search specifically tell me? 

i am hoping that it is the hosts that are being forwarded by the HF if that is the case then bosh, my stuff works as it is meant to and your search gets the karma.

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out &gt;&gt; As our brave ...