Splunk Enterprise

Forwarder Monitoring is disabled.

Gregski11
Contributor

On a Windows Server when I go to Settings \ Monitoring Console and launch it, there is a Menu item called: Forwarders: Instance which appears not to be configured and when I try to run setup I get this warning about it effecting performance, so my question is, are any of you running this feature?

Forwarder Monitoring Setup

Forwarder monitoring dashboards provide information on forwarder activity and throughput. If you turn on forwarder monitoring, Splunk Enterprise enables a scheduled search named "DMC Forwarder - Build Asset Table"  that relies on internal network input metrics that your indexers record. If you have many forwarders, this search can significantly affect the search workload of the indexers.

To mitigate the cost of this search, increase the data collection interval so that the search runs less frequently. Learn More 

Forwarders: Instance

Forwarder Monitoring is disabled. Please go to the setup page to enable it.

 

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

A thousand forwarders shouldn't be a problem for an MC and 16 indexers.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

I can't say I've seen the MC consume a lot of resources.  The warning you cite may not apply in your environment.  Do you have many forwarders?

---
If this reply helps you, Karma would be appreciated.

Gregski11
Contributor

Rich thank you for offering to help, we have two Deployment servers one is for our servers and so over 500 Windows and Linux servers forward to a dozen Indexers

in addition to that Deployment server we have another Deployment server dedicated to all our workstations so another 500 plus Windows workstation machines forward to the same dozen Indexers 

hope this paints a better picture for you

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

A thousand forwarders shouldn't be a problem for an MC and 16 indexers.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...