The Forwarder Awareness component allows Admins to view forwarder data and status, including failures. This increases forwarder visibility and allows Admins to stay on top of outages and unusual behavior.
Forwarder Group Overview Dashboard
The entry dashboard of the Forwarder Awareness Element is Forwarder Group Overview. On this page, Admins can create and monitor Forwarder Groups that coalesce forwarders together with context and ownership. The top banner contains buttons to update the list of known Forwarders and create new Forwarder Groups. Just below the top banner, Admins can limit the results shown on the overview with filtering options. Admins can show just certain groups, activity from a time range, or limit by source type. Further down the page, Admins can see summaries of each Forwarder Group, Missing Forwarders, and All Forwarders. Selecting a Forwarder Group leads users to the Forwarder Awareness Report.
Forwarder Awareness Report Dashboard
The Forwarder Awareness Report contains a wealth of information about your Forwarders. The report is split into two sections: the Forwarder Inventory, which describes information about all Forwarders, and Missing Forwarders, which describes information specific to Missing Forwarders and provides information about which source types are affected by the outage. At the top of the Forwarder Awareness Report, Admins can filter which Forwarders are included in the report to suit their needs.
The Forwarder Inventory section includes a more detailed list of forwarders by KB/s. These include details of instance, GUID, forwarder type, IP address, SSL enablement, Splunk version, operating system, time last connected, architecture, receiver count, connection count, average KB/s, and average events/s. Selecting a Forwarder from the list shown in the second screenshot opens the Forwarder Investigation section.
Forwarder Awareness also provides a list of Forwarder Groups sorted by license utilization.
This section is only shown when a Forwarder is selected from the Forwarder Inventory table. When shown, the Forwarder Investigation section shows an Admin information about that Forwarder's ingest, license usage, and source types. This can be useful to diagnose Forwarder issues or unusual license utilization.
The Missing Forwarder section helps Admins find, diagnose, and fix missing forwarders. It contains information on which, if any, forwarders are missing, the percent of time this forwarder is up, when this forwarder was last connected, and the affected source types.
Forwarder Awareness Searches
Clicking on the Forwarder Awareness Searches on the navigation bar will open a new tab. This tab contains searches, reports, and alerts regarding Forwarder activity. They can be edited, enabled/disabled, and run from this page. Users can also create a new report or a new alert from this page.