Use the Health dashboard

The Universal forwarder software version detailed views show the forwarder names, versions, days to expiration, expiration timestamp, and status.

The Health dashboard follows the end of full support date listed in the Splunk Support Policy.

The Heavy forwarder software version detailed view shows the heavy forwarder names, versions, days to expiration, expiration timestamp, and status.

The Health dashboard follows the end of full support date listed in the Splunk Support Policy.

This indicator evaluates buckets and their size in an index to help you manage optimal bucket sizes. If bucket sizes fall below or exceed the range 375MB to 750MB, your stack might experience degraded performance from excessive cache calls. If buckets frequently exceed their maximum configured sign, it might be due to insufficient indexing capacity.

Select a critical status index to view more information about source types and other bucket details. A longer period of time between event time and processing time might indicate a need for optimization.

• The number of searches being run exceeds your deployment's capacity.
• The searches being run are taking too long or using too large amount of memory or CPU.

The High memory searches detailed view returns the first 50,000 searches sorted by critical, warning, then conforming status. This prevents the results from timing out on large stacks.

The universal forwarder streams data from your machine to a data receiver, formats data before sending it to your Splunk platform, and lets you monitor data in real time. Maintaining version forwarder version compatibility ensures there is no interruption to your service.

This indicator evaluates the software version for all universal forwarders and informs you of upcoming expiry dates so you can maintain version compatibility.

To learn more about the universal forwarder, see About the universal forwarder in the Splunk Universal Forwarder Forwarder Manual.

For details on upgrading your universal forwarder, see Upgrade your Forwarder in the Splunk Cloud Platform Admin Manual.

For more information on forwarder version compatibility, see Monitor forwarder deployments in the Splunk Cloud Platform Admin Manual and Supported forwarder versions in the Splunk Cloud Platform Service Description.

A heavy forwarder parses data before forwarding or indexes data locally while forwarding the data to another indexer.

This indicator evaluates the software version for all heavy forwarders and informs you of upcoming expiry dates so you can maintain version compatibility.

To learn more about the heavy forwarder, see Heavy and light forwarders in the Splunk Enterprise Forwarding Data manual.

For details on upgrading your heavy forwarder, see Upgrade your Forwarder in the Splunk Cloud Platform Admin Manual.

For more information on forwarder version compatibility, see Monitor forwarder deployments in the Splunk Cloud Platform Admin Manual and Supported forwarder versions in the Splunk Cloud Platform Service Description.

High memory searches use a significant amount of your Splunk platform instance memory.

This indicator evaluates search size and informs you of when searches take up a high amount of memory.

See the Expensive searches dashboard in the CMC for more details about searches that are using a lot of memory.

To learn more about how to troubleshoot high memory, see Limit search process memory usage in the Splunk Cloud Platform Search Manual.

For information on how to write more efficient searches, see Write better searches in the Splunk Cloud Platform Search Manual.

An index typically consists of buckets, directories that contain processed external data and index files.

This indicator evaluates buckets and their size in an index to help you manage optimal bucket sizes.

To learn more about buckets and how they work in an index, see How the indexer stores indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.

Skipped searches occur when the load on your system is higher than the available resources.

This indicator evaluates the skipped search ratio of all scheduled searches.

To learn more about why searches are being skipped and how to avoid skipped searches, see Are you Skipping? Please read!.

To investigate skipped scheduled searches, use the Search > Skipped scheduled searches dashboard. See the documentation at Investigate skipped scheduled searches to learn how to review this dashboard.

Cache transfer activity refers to your deployment's local storage, aggregated by bucket size.

This indicator evaluates bucket download size and informs you of high download size so you can optimize your deployment's cache transfer activity.

TLS (Transport Layer Security) is a widely-used cryptographic security protocol that the Splunk platform uses to ensure secure communication between Splunk platform instances over network connections.

This indicator evaluates for TLS handshake failure alerts. TLS errors can occur for a variety of reasons, including if TLS is not activated on both client and server. TLS errors can also occur if common attributes, such TLS protocol version, cipher suites, and other configurable TLS values, do no match on client and server.

Introduction to securing the Splunk platform with TLS.

For detailed information on how to implement TLS for your deployment, see Steps for securing your Splunk Enterprise deployment with TLS.

A TLS certificate is a digital certificate that encrypts and authenticates data transmitted between a client and server, ensuring secure network communications.

This indicator evaluates for invalid TLS certificates. An invalid TLS certificate alert can occur due to incorrect certificate configuration, expired certificates, or out-of-sync system clocks on client and server nodes.

For an overview on securing your deployment with TLS, see Introduction to securing the Splunk platform with TLS.

A certificate authority (CA) certificate is a digital certificate issued by a trusted entity that verifies the authenticity of TLS certificates.

This indicator evaluates for unknown certificate authority (CA) certificates. An unknown certificate authority (CA) certificate alert can occur due to incorrect configuration settings or if no valid certificate authority (CA) certificate file exists in the certificate trust store.

For details on how to configure TLS certificates for your deployment, see configure TLS certificates for inter-Splunk communication.

A certificate common name (CN) is an attribute of a TLS certificate that specifies the identify of the certificate holder, such as a fully qualified domain name (FQDN), ensuring the entity matches the expected identity during secure communications.

This indicator evaluates for common name (CN) mismatches during certificate validation. Certificate common name mismatch alerts can occur if the CN value of the certificate presented in the TLS handshake does not match the CN value in the 'sslCommonNameToCheck' setting in server.conf.

For more information on TLS configuration settings for Splunk platform deployments, see configure TLS certificates for inter-Splunk communication.

The Splunk platform supports TLS protocol version 1.2. Splunk has deprecated TLS protocol versions 1.0, 1.1 and SSL version 3.0.

This indicator evaluates for events that indicate the server and client do not share a common TLS version. To avoid TLS protocol version mismatches, make sure the 'sslVersions' in the respective configuration file stanza has a value of "tls.2".

For more information on supported TLS protocol versions, see Configure TLS protocol version support for secure connections between Splunk platform instances.

A TLS cipher suite is a set of cryptographic algorithms that govern the encryption, authentication, and integrity of data over secure network connections.

This indicator evaluates for mismatches in TLS ciphers between server and client. TLS cipher suite mismatches can occur if the 'cipherSuite' setting in server.conf on the server and client do not share a compatible TLS cipher.

For information on TLS cipher suite configuration in Splunk platform, see the 'cipherSuite' setting under TLS/SSL Configuration details in server.conf.

Mutual TLS (mTLS) is a security protocol that requires both client and server to authenticate each other's identity using digital certificates.

This indicator evaluates for events that indicate a failed mTLS certificate verification. Such failures can occur due to certificate expiration, incorrect certificate configuration, or Certificate Authority (CA) trust issues.

For information on how to update TLS certificates for your deployment, see Renew existing TLS certificates.

Mutual TLS (mTLS) is a security protocol that requires both client and server to authenticate each other's identity using digital certificates.

This indicator evaluates for events that indicate a client failed to produce a certificate for mutual transport layer security (mTLS). Such failures can occur if the client is not configured to present a client certificate.

For information on how to configure TLS certificates for your deployment, see configure TLS certificates for inter-Splunk communication.

A TLS cipher is an algorithm used to encrypt and decrypt data within a TLS-secured communication.

This indicator evaluates for events that indicate no ciphers compatible with the TLS version exist in the configuration. Missing TLS cipher alerts can occur when the 'cipherSuites' setting in the client configuration does not have a cipher compatible with the TLS version.

For more information on TLS cipher configuration, see TLS/SSL Configuration details in server.conf.