Trouble-shooting events forwarded from a heavy for...

willsy · ‎10-29-2020

Hello,

Are there searches or any log files that will tell me what is being forwarded from my heavy forwarder?

I have a multi site, clustered splunk environment that ingests all its own personal logs first but then sends all of the data to a third party via a heavy forwarder and data diode. I do not have access to the data once they have been sent from the HF so i cannot assess what has been sent.

Are there any splunk techniques, searches, log files i can view from my heavy forwarder to determine what data have been sent to the data diode?

I can provide config files if required.

isoutamo · ‎10-29-2020

One thing what you could try is adding that HF as indexer on you MC. Then it could shows some information what it has done e.g. what logs it has managed? This is nice way to see e.g. HEC statistic on HF. There is already item for thi (add HF as own type to MC or something similar) on https://ideas.splunk.com

r. Ismo

inventsekar · ‎10-29-2020

Hi @willsy try this search..

index=_internal sourcetype=splunkd group=per_host_thruput host=<HF-Name>

or,

index=_internal sourcetype=splunkd group=per_host_thruput

then you can click host field on left side field selector, and select the HF manually.

willsy · ‎10-29-2020

Hi @inventsekar what does that search specifically tell me?

i am hoping that it is the hosts that are being forwarded by the HF if that is the case then bosh, my stuff works as it is meant to and your search gets the karma.

Trouble-shooting events forwarded from a heavy forwarder.

forwarder

other

splunkd

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update