Data Usage for Indexer and Forwarders

In my previous role I created this dashboard to identify how much data a Splunk forwarder had sent to my indexers.  This was a daily check that either myself of someone on my team would review.  This check helped us identify a misconfiguration across all of my production Windows servers.  I was able to drilldown into the Source/Sourcetypes of the affected Windows servers to understand where the increase of log data was origination from.  For this event the logs were origination from WinEventLog:Security.  With that information I was able to open a new search reviewing which EventCodes had the highest event count.  This information quickly helped identify the issue and which teams to contact for resolution.

Share This:

Leave A Comment?