topic Re: Is forwarder management data indexed? in Deployment Architecture

Is forwarder management data indexed?

chanfoli — Tue, 15 Jul 2014 18:40:14 GMT

Hello,

I want to be able to customize searches on the data in the forwarder management page. It would seem that client phone-home status is being cached somewhere like in an index but I can't find it. I would like to be able to have more flexible filtering on what I see and the ability to sort it.

Thanks,
Sean

Re: Is forwarder management data indexed?

lguinn2 — Tue, 15 Jul 2014 19:27:26 GMT

Look in the _internal index. Here are some ideas to get you started...

Are apps being downloaded?

index=_internal component=DeployedApplication OR 
      component=PackageDownloadRestHandler  sourcetype=splunkd 
| table _time log_level host app message

Is the deployment client phoning home?

index=_internal (*phonehome* component=DC*) OR (component=DC:HandshakeReplyHandler)
| sort _time
| table _time host log_level message

Is the deployment server hearing the phone homes?

index=_internal metrics group=deploy-server sourcetype=splunkd 
| timechart span=2m avg(nReceived) by host

Re: Is forwarder management data indexed?

chanfoli — Mon, 28 Sep 2020 17:04:54 GMT

Thanks L. I was seeing some relevant events, but I am not finding anything on my deployment server in _internal which would correspond to the actual phone-home event and tie it to a client other than the splunkd_access logs which don't really have anything that useful or even easily extractable. I basically want to search and report similar to the "Clients" tab in forwarder management, but apply some more complex filters and sort the list. If it is not doable I understand.

Re: Is forwarder management data indexed?

lguinn2 — Tue, 15 Jul 2014 22:12:01 GMT

By default, all the forwarders should be sending their splunkd.log files (and some others) to the splunk indexers - so you should be able to see things from the forwarder perspective as well as from the forwarder management server.

A search of

index=_internal sourcetype=splunkd | stats count by host

over the last hour should show many different hosts...

Re: Is forwarder management data indexed?

chanfoli — Wed, 16 Jul 2014 01:24:08 GMT

Thanks again L. Understood. In this case, we recently added 28 of our first windows clients we're mostly splunking Linux. I see most phoning home fine within minutes in the clients page, but it doesn't look like the phone home events actually end up in the clients' splunkd.logs, I see other events relating to watched file monitors etc but nothing with regards to phone-homes. I was trying to access the same data the forwarder management is using to tell me that x-client has phoned home in the past minute, I take it that this either not indexed or not accessible. Thanks, Sean.

Re: Is forwarder management data indexed?

lguinn2 — Wed, 16 Jul 2014 07:09:26 GMT

Did the client actually phone home?

Re: Is forwarder management data indexed?

chanfoli — Wed, 16 Jul 2014 18:20:18 GMT

Yes. According to forwarder management page. Also apps have been deployed as expected.