Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Set Schedule for UF

SplunkDash
Motivator
‎07-01-2021 10:09 AM

Would it be possible to configure SPLUNK UF to scan (/pick) files/data from the server at particular time of a day/week/month....and forward them to SPLUNK Indexer? That means ..... set the frequency of UF to Pick/Scan files/data and forward them to SPLUNK indexer. If so, any help how to do that would be highly appreciated.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-01-2021 11:09 AM

There is no such feature.  Go to https://ideas.splunk.com to make a case for one.

The UF monitors specified files and/or directories so when data appears there it is immediately sent to the indexers.  What is the benefit of scheduling the monitoring?

---
If this reply helps you, Karma would be appreciated.
Reply

SplunkDash
Motivator
‎07-01-2021 11:18 AM

Yes I agree. But, client doesn't want to make their server busy.... and giving us to use server at certain time of a day. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-01-2021 12:23 PM

Typically, a UF uses < 2% of a server's resources.  It's usually unnoticed (until something goes wrong).

IMO, running the UF once a day is a bad idea.  During that time, the UF will be working to process all of the data that accumulated in the last 24 hours.  That will consume a noticeable amount of resources.  Worse, however, is the 24 hour delay means alerts and reports using that data will be outdated almost as soon as they're generated.

Has the client measured the effect of a UF running on a server?

---
If this reply helps you, Karma would be appreciated.
Reply

SplunkDash
Motivator
‎07-01-2021 12:54 PM

Volume of data is not that huge....but they want us to put schedule on it.

0 Karma
Reply

SplunkDash
Motivator
‎07-01-2021 11:58 AM

what does checkpoint interval do here

[WinEventLog://ForwardedEvents]
sourcetype=WinEventLog:ForwardedEvents
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 6
index = wineventlog
renderXml=false

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-01-2021 12:26 PM

The checkpointInterval setting tells the UF how often to save its place in the event log so it can resume where it left off if when restarts.

I think the best way to schedule a forwarder is to use a scheduled task to start it and another to stop it at the appointed times.  I still think it's a bad idea, though.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...