icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Data Collection Monitor
SHA256 checksum (data-collection-monitor_021.tgz) 2f309f6ced46c2c7e2b1793307d9cb5db98e012b630d904389f969a9e2ea0d05 SHA256 checksum (data-collection-monitor_020.tgz) 1bf1876a1bc8300d3d3e77177deb78bb8859a59408b48e76f508a80e6ef3b05b SHA256 checksum (data-collection-monitor_010.tgz) d9ea63521af4d30e7c46eedcbed1ed7bc7ef7ea0f415a59e7b7cc6e0b3df1beb
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Data Collection Monitor

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Data Collection Monitor works alongside the Monitoring Console, giving greater visibility into the current status of data collection from Splunk Universal Forwarders, Heavy Forwarders, and other data sources.

This app is a utility for Splunk administrators, which contains dashboards for performing validations before and after maintenance activities related to work performed at the data collection layer.


This app contains six dashboards, made to compliment the Monitoring Console during maintenance activities involving data sources for pre- and post-validations.

With the exception of "Poll Instance", all dashboards are portable, allowing their source XML to be copy-and-pasted into a new dashboard on another Splunk instance.

Overview dashboard

Shows high-level trends of indexing rates, deployment clients, Splunk Stream forwarders, distinct data source counts, and average data source throughput.

Click the Indexing Rate, Events Per Second, HTTP Event Collector Data Received, Deployment Clients Phoning Home, or Stream Forwarders Phoning Home values to expand the metric to the timechart below. The Indexing Rate timechart contains distinct values over time for Indexes, Sourcetypes, Sources, and Hosts to identify changes to ongoing trends. The Deployment Clients and Stream Forwarders Phoning Home values are the distinct count for the given time span, with a minimum span to compensate for adjusted phone home intervals above default.

Click the Show Filters link on the top to expose the time picker.

Forwarder Troubleshooter dashboard

Reviews internal logs and metrics for troubleshooting common forwarder issues. Check this dashboard when performing maintenance activities on forwarders. Includes forwarder information, throughput metrics, stops and starts, index/sourcetype/source details, health status, resource usage, splunkd logs, deployment server messages, and indexer discovery messages.

Filter by a single forwarder at a time, or a batch of forwarders during maintenance or triage.

Data Source Troubleshooter dashboard

Reviews internal logs and metrics for troubleshooting common data source issues. Check this dashboard when deploying configuration changes to data sources. Includes tstats data over time, as well as detected issues with permissions, enqueuing, timestamp parsing, line breaking, aggregation, future timestamps, and time disparity.

Tick the Overlay checkbox in the Tstats Events panels to see distinct values over time for indexes, sourcetypes, sources, and/or hosts to identify changes to ongoing trends.

Tick the Sparklines checkbox in the Tstats Details panel to review individual index, sourcetype, source, and/or host trends beside the other split-by fields.

Data Model Troubleshooter dashboard

Reviews REST and tstats data for troubleshooting common data model issues, similar to the Data Source Troubleshooter but for identifying issues with a particular data model. Works best when installed on a search head which includes the underlying data models (i.e. Splunk_SA_CIM) and associated knowledge objects to identify constrained data (i.e. CIM-compliant tags).

Deployment Clients dashboard

Reviews REST API data from the Deployment Server(s), extending the information given by Forwarder Management. Includes a similar interface to Forwarder Management for monitoring multiple Deployment Servers, with many filters and extended information of both Deployment Clients and Servers.

Poll Instance dashboard

A bit unique relative to the other dashboards, the Poll Instance dashboard pulls information from a remote Splunk instance for diagnostic information, such as from an unpeered Splunk Enterprise instance or a Universal Forwarder. Use this dashboard to troubleshoot issues such as file inputs not ingesting or to validate current configuration settings.

This dashboard requires configuration before use. See the Installation section below regarding setup remote Splunk credentials.

| pollinstance command

This generator command powers the Poll Instance dashboard, and may be used in your own SPL to query REST API endpoints of Splunk Enterprise and Universal Forwarder instances which are not search peers of this instance. Returns a table similar in formatting to the "| rest" command.


| pollinstance splunk_host=<string> [splunk_port=<int>] account=<string> object=<string> [uri]
  • splunk_host - the host/IP of the target Splunk instance to poll information from
  • splunk_port - the management port of the target Splunk instance (optional, default is 8089)
  • account - the account name given to the username/password combination, as saved in this app's Configuration dashboard
  • object - determines what output to return from the instance; choose one of the following:
    • rest - Perform a GET operation from the given REST API endpoint (requires uri to be specified)
    • all - Returns information from all the objects listed below
    • info - System high-level info
    • settings - System high-level settings
    • messages - System messages
    • confs - Current configuration values
    • inputstatus - Input status (tailing processor, exec processor, modular inputs, TCP/UDP)
    • apps - Splunk Apps
    • data - Data inputs and outputs (TCP cooked/raw, UDP, forward servers)
    • kvstore - KV Store
    • cluster - Indexer Cluster
    • shcluster - Search Head Cluster
    • deployment - Deployment Clients
    • licenser - License Slaves
    • search - Distributed search peers
    • health - Splunkd Health
    • status - Introspection (CPU/memory/disk utilization, partitions, splunkd processes)


Poll data from remote Splunk instance "splunk.mycorp.com" REST endpoint "/services/server/status", using credentials from account "Main_IDXC":

| pollinstance splunk_host="splunk.mycorp.com" account="Main_IDXC" object="rest" /services/server/status

Poll all objects from remote Splunk instance "" on non-standard port "8091", using credentials from account "Tampa_UFs":

| pollinstance splunk_host="" splunk_port=8091 account="Tampa_UFs" object="all"


Install this app on a search head, preferably on the Splunk Enterprise instance hosting the distributed Monitoring Console. App will not fully function without peering with the Indexing tier and Deployment Server.

For usage of the Data Model Troubleshooter, consider either installing this app on the search head with the defined data models (i.e. an Enterprise Security search head), or copying this dashboard to that Splunk instance.

For usage of the Poll Instance dashboard and | pollinstance command, the Splunk instance hosting this app must have the admin credentials of the remote Splunk instance's stored locally, as well as IP connectivity to the remote Splunk instance's management port (default TCP/8089). Use the associated Configuration dashboard within this app to add any remote Splunk instance's admin credentials into the encrypted storage passwords service, saved as an Account. Save one Account for each username/password combination used with the Poll Instance dashboard or | pollinstance command, then poll the remote instances as necessary during troubleshooting for information not provided by internal logs. See Splunk docs on how to modify admin credentials on your remote Splunk Enterprise and Universal Forwarder instances.


Data Collection Monitor
by Joe Misner

Kindly submit identified bugs, comments, and suggestions to the developer contact in the sidebar. Thank you!

Release Notes

Version 0.2.1
Sept. 11, 2020

New Features:
- Added HTTP Event Collector and Stream Forwarder metrics to the Overview dashboard

- Indexing Rate metric overlays on the Overview dashboard are now displaying all distinct counts

Version 0.2.0
Sept. 2, 2020

New Features:
- "| pollinstance" generator command, to poll a remote Splunk instance, such as an unpeered Splunk Enterprise instance or a Universal Forwarder, for diagnostic information
- "Poll Instance" dashboard, which utilizes "| pollinstance" to retrieve splunkd health, messages, instance information, apps, resource usage, input status, and configurations
- "Overview" dashboard, to review high-level trends of indexing rates, deployment clients, distinct data source counts, and average data source throughput
- "Data Model Troubleshooter" dashboard, to review internal logs and metrics related to data models and accelerations
- Sparkline option for Tstats Details panels on troubleshooter dashboards, to help visualize individual data sources over time

- Numerous additions, changes, and fixes to the Forwarder Troubleshooter and Data Source Troubleshooter dashboards

Version 0.1.0
June 11, 2020

Initial release


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.