Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Set Schedule for UF

SplunkDash
Motivator
‎07-01-2021 10:09 AM

Would it be possible to configure SPLUNK UF to scan (/pick) files/data from the server at particular time of a day/week/month....and forward them to SPLUNK Indexer? That means ..... set the frequency of UF to Pick/Scan files/data and forward them to SPLUNK indexer. If so, any help how to do that would be highly appreciated.

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-01-2021 11:09 AM

There is no such feature.  Go to https://ideas.splunk.com to make a case for one.

The UF monitors specified files and/or directories so when data appears there it is immediately sent to the indexers.  What is the benefit of scheduling the monitoring?

---
If this reply helps you, Karma would be appreciated.
Reply

SplunkDash
Motivator
‎07-01-2021 11:18 AM

Yes I agree. But, client doesn't want to make their server busy.... and giving us to use server at certain time of a day. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-01-2021 12:23 PM

Typically, a UF uses < 2% of a server's resources.  It's usually unnoticed (until something goes wrong).

IMO, running the UF once a day is a bad idea.  During that time, the UF will be working to process all of the data that accumulated in the last 24 hours.  That will consume a noticeable amount of resources.  Worse, however, is the 24 hour delay means alerts and reports using that data will be outdated almost as soon as they're generated.

Has the client measured the effect of a UF running on a server?

---
If this reply helps you, Karma would be appreciated.
Reply

SplunkDash
Motivator
‎07-01-2021 12:54 PM

Volume of data is not that huge....but they want us to put schedule on it.

0 Karma
Reply

SplunkDash
Motivator
‎07-01-2021 11:58 AM

what does checkpoint interval do here

[WinEventLog://ForwardedEvents]
sourcetype=WinEventLog:ForwardedEvents
disabled = 0
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 6
index = wineventlog
renderXml=false

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-01-2021 12:26 PM

The checkpointInterval setting tells the UF how often to save its place in the event log so it can resume where it left off if when restarts.

I think the best way to schedule a forwarder is to use a scheduled task to start it and another to stop it at the appointed times.  I still think it's a bad idea, though.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...