Splunk Stream

User Manual

Stream Admin dashboards

Splunk App for Stream (splunk_app_stream) provides a set of pre-built Admin dashboards, including

  • Stream Data Volumes
  • Network Metrics
  • Stream Forwarder Status
  • Stream Forwarder Metrics & Logs

Use Admin dashboards to identify spikes and trends in network activity that might indicate a network issue and to analyze customer behavior. Click in any dashboard graph to drill down to Splunk search results, and perform further analysis on network, streamfwd process, and log data.

Note: Data used to populate Stream Admin dashboards is collected by Stream Forwarders and stored in the _internal index. Hence, it is critical to have the _internal index forwarded from all Stream-enabled Splunk instances to the indexers.

Stream Data Volumes

The Stream Data Volumes dashboard shows index volume stats for all streams in the Enabled mode. The dashboard lets you monitor these data index volume stats:

  • Total Events
  • Total Incomming Traffic (MB)
  • Total Outgoing Traffic (MB)
  • Total Traffic (MB)
  • Splunk Index Volume (MB)

In the Splunk App for Stream main menu, select Admin Dashboards > Stream Data Volumes.

Stream data volume dashboard.png

Note: To view estimates of data index volume for streams in the Estimate mode, use the Stream Estimate dashboard. For more information, see Stream Estimate in this manual.

Network Metrics

The Network Metrics dashboard lets you monitor these network events:

  • Bandwidth (Mbps)
  • Active Network Flows
  • Total Packets
  • Dropped Packets


In the Splunk App for Stream main menu, select Admin Dashboards > Network Metrics.

StreamApp Network metrics.png

Stream Forwarder Status

The Stream Forwarder Status dashboard displays a list your deployed Stream forwarders, along with attributes, status, and configuration details for each Stream forwarder. The Stream Forwarder Status dashboard is populated by a special stream of sourcetype=stream:stats that is not user configurable and does not appear in the Configure Streams UI.

In the Splunk App for Stream main menu, select Admin Dashboards > Stream Forwarder Status.

Stream forwarder status dashboard.png

Stream Forwarder Metrics & Logs

Click on any Stream forwarder in the Stream Forwarder ID list to open the Stream Forwarder Metrics & Logs dashboard for that Stream forwarder. This dashboard provides additional detailed information on the status and behavior of individual stream forwarders, including log entries from streamfwd.log and the following streamfwd binary metrics:

  • Total Events
  • Event Queue Size
  • Packet Queue Size
  • SSL Session Keys
  • TCP Reassembly Packet Count
  • TCP Reassembly Payload Size
  • Event Attributes

Stream forwarder metrics and logs.png

Last modified on 03 March, 2022
Stream Informational Dashboards  

This documentation applies to the following versions of Splunk Stream: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters