Splunk® Enterprise

Monitoring Splunk Enterprise

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Forwarder dashboards

This topic is a reference for the Forwarders: Deployment and Forwarders: Instance dashboards in the Distributed Management Console. See “About the distributed management console.”

What do these views show?

The forwarder dashboards present key snapshot and historical metrics about forwarder connections.

Interpret results in these views

Deployment view

The Status panel can show the value "active" or "missing". When the scheduled search runs to update this panel, it looks back 15 minutes. If a forwarder connects to the indexers in those 15 minutes, then its status is "active." If not, its status is "missing."

This lookback time is different from the data collection interval (in Settings > Forwarder Monitoring Setup), which is how often that scheduled search runs. For example, you could set the data collection interval to 24 hours. Then the scheduled search would run once every 24 hours, but it still would check only the 15 minutes before it starts running.

This view shows information about forwarders in an internal file called dmc_forwarder_assets.csv. The file's list of forwarders is cumulative. If any forwarder connects to an indexer, its record is added to the .csv file. If you later remove the forwarder from your deployment, the DMC does not remove the forwarder's record from the file. It is instead marked "missing." To avoid having your removed forwarders appear as "missing" in the DMC view, navigate to DMC > Forwarder Monitoring Setup and click Rebuild forwarder assets. For the one time that you run this ad hoc search to populate the assets file initially, you can choose a distinct lookback time in the Time range selector. This selection does not change the 15 minute lookback time for the scheduled search, nor does it change the data collection interval.

Status and configuration panel: Time shown is the time the scheduled search last completed.

Instance view

The quantity called "outgoing data rate" is in fact the incoming data received by an indexer from a forwarder. This measurement comes from metrics.log. See "About metrics.log" in the Troubleshooting Manual.

What to look for in these views

Start at the Forwarders: Deployment view to see whether your forwarders are reporting as expected, or whether one of them is missing.

This dashboard is paired with a preconfigured platform alert, which can notify you when one or more forwarders is missing.

Troubleshoot these views

If your panels lack data, verify that you have completed the setup steps for the DMC, in either distributed or standalone mode. These dashboards use metrics.log from the indexers.

For any of the forwarder dashboard panels to work, you must complete the setup in Configure forwarder monitoring in this manual.

In addition, the forwarder dashboard historical panels need forwarders with individual GUIDs.

Averages on these panels are not calculated until at least one of the "data collection intervals" (as defined in DMC > Settings > Forwarder monitoring setup) elapses.

Last modified on 18 March, 2016
PREVIOUS
Indexing: Indexes and volumes dashboards
  NEXT
Licensing

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters