Splunk® Enterprise

Monitoring Splunk Enterprise

Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Configure forwarder monitoring for the Monitoring Console

This topic is a step in the process of setting up the monitoring console for either a distributed or a standalone Splunk Enterprise deployment.

Prerequisites

For several dashboard monitoring panels to work, your forwarders need unique and persistent GUIDs. One way to accomplish this is to clone your forwarder before starting it. The forwarder GUID is in instance.cfg, which populates when you start the forwarder.

Setup

In Splunk Web, click Monitoring Console > Settings > Forwarder Monitoring setup and follow the setup steps.

About time settings

On the forwarder monitoring setup page, you can enable or disable forwarder monitoring and set the data collection interval. Enabling forwarder monitoring runs a scheduled search that populates dmc_forwarder_assets.csv, a lookup file that resides on the monitoring console node in $SPLUNK_HOME/etc/apps/splunk_monitoring_console/lookups. The monitoring console uses this forwarder asset table to know which forwarders to display information about in the forwarder monitoring dashboards.

In Splunk Web click Settings > Searches and reports > DMC Forwarder - Build Asset Table to review the scheduled search.

Click Monitoring Console > Settings > Forwarder Monitoring Setup and choose from several values for data collection interval. This interval determines how often that scheduled search runs. The default value is 15 minutes.

When the scheduled search runs to rebuild the forwarder asset table it always looks back 15 minutes. This lookback time is not configurable, and it is different from the data collection interval. For example, if you set the data collection interval to 24 hours, the scheduled search will run once every 24 hours, but check only the 15 minutes before it starts running.

Scheduled search can be expensive if you have many forwarders. You might want to run the search less often than the default value.

Rebuild the forwarder asset table

The data in the forwarder asset table is cumulative. If a forwarder connects to an indexer, its record exists in the table. If you later remove the forwarder from your deployment, the forwarder's record is not removed from the asset table. It is instead marked "missing" in the asset table, and it still appears in the DMC forwarder dashboards.

To remove a forwarder entirely from the monitoring console dashboards, click rebuild forwarder assets in Monitoring Console > Settings > Forwarder Monitoring Setup. You can choose a lookback time when you perform this action. The lookback selection during this action does not change the 15-minute lookback time for the scheduled search or the data collection interval discussed elsewhere in this topic.


Next step

To set up platform alerts, see Enable and configure platform alerts. This step is optional.

Last modified on 15 January, 2020
Configure the Monitoring Console in distributed mode   Enable and configure platform alerts

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters