Forwarders
This topic is a reference for the Forwarders: Deployment, Forwarders: Instance, and the Splunk TCP Input Performance deployment and instance dashboards in the Monitoring Console. See About the Monitoring Console in this manual.
What do these views show?
The Monitoring Console monitors forwarder connections (in the Forwarders dashboards) and communication (in the Splunk TCP Input dashboards).
The Splunk TCP Input views monitor Splunk TCP Inputs, that is, data from one Splunk instance to another. Usually this is a forwarder sending data to an indexer. These views do not monitor TCP input from a non-Splunk device to a collector, like an Apache server sending its logs to a forwarder.
Interpret results in these views
Forwarders: Deployment view
The Status panel can show the value "active" or "missing". When the scheduled search runs to update this panel, it looks back 15 minutes. If a forwarder connects to the indexers in those 15 minutes, then its status is "active." If not, its status is "missing." To permanently remove missing forwarders from your dashboards, rebuild the forwarder asset table. See Configure forwarder monitoring in this manual.
This lookback time is different from the data collection interval (in Settings > Forwarder Monitoring Setup), which is how often that scheduled search runs. Read about time settings in Configure forwarder monitoring in this manual.
In the Status and configuration panel, the time shown is the last time that the scheduled search completed.
Forwarders: Instance view
The quantity called "outgoing data rate" measure the data received by an indexer from a forwarder. This measurement comes from metrics.log on the indexer. See About metrics.log in the Troubleshooting Manual.
If you can't find your indexed data in Splunk Enterprise, you can look at Monitoring Console dashboards in this order:
1. Forwarder views.
2. Splunk TCP input views.
3. Indexing views.
See Troubleshoot forwarder/receiver connection in the Forwarding Data manual.
What to look for in these views
Start at the Forwarders: Deployment view to see whether your forwarders are reporting as expected, or whether one of them is missing.
This dashboard is paired with a preconfigured platform alert, which can notify you when one or more forwarders is missing.
Troubleshoot these views
Forwarders and Splunk TCP Input dashboards
If these dashboards lack data, verify that you have completed all of the setup steps for the Monitoring Console, in either distributed or standalone mode.
Like all Monitoring Console dashboards, these dashboards need metrics.log from the indexers. The Monitoring Console does not query forwarders directly for data, but rather gets its data from the indexers that the forwarders connect to.
Steps specific to the Forwarders dashboards
For any of the Forwarders: Deployment or Forwarders: Instance dashboard panels to work, you must follow the setup steps in Configure forwarder monitoring in this manual. Note the prerequisite that the historical panels need forwarders with individual GUIDs.
Averages on the Forwarders dashboards are not calculated until at least one of the "data collection intervals" (as defined in Monitoring Console > Settings > Forwarder monitoring setup) elapses.
Resource Usage | About proactive Splunk component monitoring |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2
Feedback submitted, thanks!