Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Set Schedule for UF

SplunkDash
Motivator
‎07-01-2021 10:09 AM

Would it be possible to configure SPLUNK UF to scan (/pick) files/data from the server at particular time of a day/week/month....and forward them to SPLUNK Indexer? That means ..... set the frequency of UF to Pick/Scan files/data and forward them to SPLUNK indexer. If so, any help how to do that would be highly appreciated.

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-01-2021 11:09 AM

There is no such feature.  Go to https://ideas.splunk.com to make a case for one.

The UF monitors specified files and/or directories so when data appears there it is immediately sent to the indexers.  What is the benefit of scheduling the monitoring?

---
If this reply helps you, Karma would be appreciated.
Reply

SplunkDash
Motivator
‎07-01-2021 11:18 AM

Yes I agree. But, client doesn't want to make their server busy.... and giving us to use server at certain time of a day. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-01-2021 12:23 PM

Typically, a UF uses < 2% of a server's resources.  It's usually unnoticed (until something goes wrong).

IMO, running the UF once a day is a bad idea.  During that time, the UF will be working to process all of the data that accumulated in the last 24 hours.  That will consume a noticeable amount of resources.  Worse, however, is the 24 hour delay means alerts and reports using that data will be outdated almost as soon as they're generated.

Has the client measured the effect of a UF running on a server?

---
If this reply helps you, Karma would be appreciated.
Reply

SplunkDash
Motivator
‎07-01-2021 12:54 PM

Volume of data is not that huge....but they want us to put schedule on it.

0 Karma
Reply

SplunkDash
Motivator
‎07-01-2021 11:58 AM

what does checkpoint interval do here

[WinEventLog://ForwardedEvents]
sourcetype=WinEventLog:ForwardedEvents
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 6
index = wineventlog
renderXml=false

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-01-2021 12:26 PM

The checkpointInterval setting tells the UF how often to save its place in the event log so it can resume where it left off if when restarts.

I think the best way to schedule a forwarder is to use a scheduled task to start it and another to stop it at the appointed times.  I still think it's a bad idea, though.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...