Configure forwarder monitoring for the Monitoring Console
This topic is a step in the process of setting up the monitoring console for either a distributed or a standalone Splunk Enterprise deployment.
For several dashboard monitoring panels to work, your forwarders need unique and persistent GUIDs. One way to accomplish this is to clone your forwarder before starting it. The forwarder GUID is in
instance.cfg, which populates when you start the forwarder.
In Splunk Web, click Monitoring Console > Settings > Forwarder Monitoring setup and follow the setup steps.
About time settings
On the forwarder monitoring setup page, you can enable or disable forwarder monitoring and set the data collection interval. Enabling forwarder monitoring runs a scheduled search that populates
dmc_forwarder_assets.csv, a lookup file that resides on the monitoring console node in
$SPLUNK_HOME/etc/apps/splunk_monitoring_console/lookups. The monitoring console uses this forwarder asset table to know which forwarders to display information about in the forwarder monitoring dashboards.
In Splunk Web click Settings > Searches and reports > DMC Forwarder - Build Asset Table to review the scheduled search.
Click Monitoring Console > Settings > Forwarder Monitoring Setup and choose from several values for data collection interval. This interval determines how often that scheduled search runs. The default value is 15 minutes.
When the scheduled search runs to rebuild the forwarder asset table it always looks back 15 minutes. This lookback time is not configurable, and it is different from the data collection interval. For example, if you set the data collection interval to 24 hours, the scheduled search will run once every 24 hours, but check only the 15 minutes before it starts running.
Scheduled search can be expensive if you have many forwarders. You might want to run the search less often than the default value.
Rebuild the forwarder asset table
The data in the forwarder asset table is cumulative. If a forwarder connects to an indexer, its record exists in the table. If you later remove the forwarder from your deployment, the forwarder's record is not removed from the asset table. It is instead marked "missing" in the asset table, and it still appears in the DMC forwarder dashboards.
To remove a forwarder entirely from the monitoring console dashboards, click rebuild forwarder assets in Monitoring Console > Settings > Forwarder Monitoring Setup. You can choose a lookback time when you perform this action. The lookback selection during this action does not change the 15-minute lookback time for the scheduled search or the data collection interval discussed elsewhere in this topic.
To set up platform alerts, see Enable and configure platform alerts. This step is optional.
Configure the Monitoring Console in distributed mode
Enable and configure platform alerts
This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1