Meet Atlas’s Forwarder Awareness

If there was a secret sauce for Splunk, the key ingredient would be the platform’s universal forwarders. Providing users with the ability to automatically send data for indexing, Splunk forwarders are essential to data delivery in Splunk Enterprise and Splunk Cloud environments.

In most Splunk instances, you have multiple forwarders. These forwarders throw data at your search heads and indexers in order to read and store your data. However, there has historically been an issue with forwarders: they go missing and they fail.

If you’re looking at your data pipeline in Splunk, your forwarders are on the front line. Forwarders play a pivotal role in ingesting your data; however, they can disappear or unexpectedly fail (without you knowing). A missing forwarder may result in an issue as small as temporarily not ingesting data. However, a missing forwarder could also be an indication of a much larger issue, like an entire server going down.

 

To solve this time-old problem in Splunk, we’ve built an application within Atlas, our new platform for Splunk, that allows you to have eyes on all of your forwarders in one place.

Atlas’s Forwarder Awareness Application

Atlas Forwarder Awareness is an application that provides visibility into all of your forwarders, their statuses, and any misconfigurations or failures within your environment. Built within the Atlas Application Suite, the Forwarder Awareness tool enables teams to have constant visibility into their forwarders’ health and statuses.

Now teams can quickly determine if a forwarder is missing and take action—immediately.

In Splunk’s own Forwarder Management interface, users are alerted when forwarders go missing with limited information or guidance on the issue. When this happens, Splunk teams have to dig through alerts in their Splunk monitoring console to try and identify an issue with their forwarders.

Figure 1 - Forwarder Awareness Interface

Figure 1 – Forwarder Awareness Interface

The Atlas Forwarder Awareness tool sends you a list of the forwarders that are missing and which data sources are impacted. Instead of requiring users to log into their Splunk monitoring console, users can now access this critical information on their forwarders directly through their Search Head Cluster. This application offers real-time visibility and awareness into your forwarders’ health and status.

The Value in Visibility

Without requiring admin access, you (and your team) have full visibility into the status and health of your forwarders in one view. From this view, users can view visual graphs representing forwarder statuses by operating system, forwarder types in use, and forwarders’ SSL status. On the application, users also have visibility into top-performing forwarders (by total WB) and missing forwarders.

Figure 2 - Forwarder Awareness Dashboards

Figure 2 – Forwarder Awareness Dashboards

In the example below, you’ll see a really powerful element of Forwarder Awareness. You’ll notice on the screen below that a forwarder is offline (with no contact in 15 minutes or longer), the last time Splunk saw that forwarder, and what sourcetypes may be affected. That view does not require admin access.

Figure 3 - Example of "Missing Forwarder" feature

Figure 3 – Example of “Missing Forwarder” feature

These insights are invaluable and critical information for you and your team to identify — and these immediate insights are only available to users through Atlas’s Forwarder Awareness application. In any other situation, teams would spend hours of their time and resources to identify this same information.

To put it simply, a missing forwarder means missing data, failed compliance standards, inactive SSL certificates, and many more detrimental losses for Splunk teams. Ultimately, a missing forwarder can be extremely costly to an organization in both data loss and spent resources.

Conclusion

Every Splunk instance is at risk of a failed or missing forwarder. With your forwarders being at the front line of your data pipeline, it’s essential to have eyes on them at all times. With Atlas’s Forwarder Awareness Application, you have the visibility you need.

This is just a glimpse into the power of the Atlas platform. Paired with more applications, reference designs, and support services, Atlas enables all Splunk teams to be successful. If you’d like to learn more about the Atlas Platform, let us know in the form below.

Schedule a Meeting

Author

Start typing and press Enter to search