Splunk Enterprise

Forwarder Monitoring is disabled.

Gregski11
Contributor

On a Windows Server when I go to Settings \ Monitoring Console and launch it, there is a Menu item called: Forwarders: Instance which appears not to be configured and when I try to run setup I get this warning about it effecting performance, so my question is, are any of you running this feature?

Forwarder Monitoring Setup

Forwarder monitoring dashboards provide information on forwarder activity and throughput. If you turn on forwarder monitoring, Splunk Enterprise enables a scheduled search named "DMC Forwarder - Build Asset Table"  that relies on internal network input metrics that your indexers record. If you have many forwarders, this search can significantly affect the search workload of the indexers.

To mitigate the cost of this search, increase the data collection interval so that the search runs less frequently. Learn More 

Forwarders: Instance

Forwarder Monitoring is disabled. Please go to the setup page to enable it.

 

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

A thousand forwarders shouldn't be a problem for an MC and 16 indexers.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

I can't say I've seen the MC consume a lot of resources.  The warning you cite may not apply in your environment.  Do you have many forwarders?

---
If this reply helps you, Karma would be appreciated.

Gregski11
Contributor

Rich thank you for offering to help, we have two Deployment servers one is for our servers and so over 500 Windows and Linux servers forward to a dozen Indexers

in addition to that Deployment server we have another Deployment server dedicated to all our workstations so another 500 plus Windows workstation machines forward to the same dozen Indexers 

hope this paints a better picture for you

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

A thousand forwarders shouldn't be a problem for an MC and 16 indexers.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...