Splunk® Enterprise

Monitoring Splunk Enterprise

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Forwarders

This topic is a reference for the Forwarders: Deployment, Forwarders: Instance, and the Splunk TCP Input Performance deployment and instance dashboards in the Monitoring Console. See About the Monitoring Console in this manual.

What do these views show?

The Monitoring Console monitors forwarder connections (in the Forwarders dashboards) and communication (in the Splunk TCP Input dashboards).

The Splunk TCP Input views monitor Splunk TCP Inputs, that is, data from one Splunk instance to another. Usually this is a forwarder sending data to an indexer. These views do not monitor TCP input from a non-Splunk device to a collector, like an Apache server sending its logs to a forwarder.

Interpret results in these views

Forwarders: Deployment view

The Status panel can show the value "active" or "missing". When the scheduled search runs to update this panel, it looks back 15 minutes. If a forwarder connects to the indexers in those 15 minutes, then its status is "active." If not, its status is "missing." To permanently remove missing forwarders from your dashboards, rebuild the forwarder asset table. See Configure forwarder monitoring in this manual.

This lookback time is different from the data collection interval (in Settings > Forwarder Monitoring Setup), which is how often that scheduled search runs. Read about time settings in Configure forwarder monitoring in this manual.

In the Status and configuration panel, the time shown is the last time that the scheduled search completed.

Forwarders: Instance view

The quantity called "outgoing data rate" measure the data received by an indexer from a forwarder. This measurement comes from metrics.log on the indexer. See About metrics.log in the Troubleshooting Manual.

If you can't find your indexed data in Splunk Enterprise, you can look at Monitoring Console dashboards in this order:

1. Forwarder views.

2. Splunk TCP input views.

3. Indexing views.

See Troubleshoot forwarder/receiver connection in the Forwarding Data manual.

What to look for in these views

Start at the Forwarders: Deployment view to see whether your forwarders are reporting as expected, or whether one of them is missing.

This dashboard is paired with a preconfigured platform alert, which can notify you when one or more forwarders is missing.

Troubleshoot these views

Forwarders and Splunk TCP Input dashboards

If these dashboards lack data, verify that you have completed all of the setup steps for the Monitoring Console, in either distributed or standalone mode.

Like all Monitoring Console dashboards, these dashboards need metrics.log from the indexers. The Monitoring Console does not query forwarders directly for data, but rather gets its data from the indexers that the forwarders connect to.

Steps specific to the Forwarders dashboards

For any of the Forwarders: Deployment or Forwarders: Instance dashboard panels to work, you must follow the setup steps in Configure forwarder monitoring in this manual. Note the prerequisite that the historical panels need forwarders with individual GUIDs.

Averages on the Forwarders dashboards are not calculated until at least one of the "data collection intervals" (as defined in Monitoring Console > Settings > Forwarder monitoring setup) elapses.

Last modified on 25 February, 2019
Resource Usage   About proactive Splunk component monitoring

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters