Solved: default interval for data sending

jangid · ‎09-28-2012

I am using Universal forwarder to send data to main Splunk instance to monitor files/directories.

What is default interval to send data?
How do I change this interval for x seconds to y seconds?

Ayn · ‎09-28-2012

There is no interval. The forwarder sends data as soon as it has anything to send. You should expect some minor delay before you see the data in your index since data needs to move through the various queues in both the forwarder and the indexer, though. The inputs your forwarder is configured with might use some kind of intervals, like scripted inputs or WMI based inputs.

View solution in original post

Ayn · ‎09-28-2012

There is no interval. The forwarder sends data as soon as it has anything to send. You should expect some minor delay before you see the data in your index since data needs to move through the various queues in both the forwarder and the indexer, though. The inputs your forwarder is configured with might use some kind of intervals, like scripted inputs or WMI based inputs.

Ayn · ‎09-28-2012

What's in your environment that makes it a bad idea to send the data as soon as it arrives to the forwarder?

InkerzBrad · ‎10-07-2015

If the log constantly changes, then it would be expensive to send a TCP traffic every time it changes.

Ayn · ‎09-28-2012

To achieve that you'd need to use a scripted input that only reads the data once an hour. There's some stuff on it here: http://splunk-base.splunk.com/answers/59916/can-you-set-a-certain-time-forwarding-occurs

jangid · ‎09-28-2012

Then how do I configure Splunk Universal forwarder to send data every one hour to main Instance?

default interval for data sending

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!