topic Re: Create report listing all clients in Getting Data In

Create report listing all clients

damonmanni — Tue, 06 May 2014 17:24:52 GMT

Hello splunkr's,

I am trying to create a simple report that will show me all the clients that have the splunk forwarder installed on them. The current way I deduce this is via the Deployment Server by: Settings > fwdr mgmt > Clients tab > Shows a sum total of 268 clients. I then copy & paste the results into excel. Silly I know but I've been reading, trying, hacking, scheduling jobs but cannot get the equivalent info. Just keeping it simple.

All I want is the Search cmd I can run that reports the total # of clients and has the same type of info with columns of: Hostname | IP Address | Machine type | Deployed Apps

I would then like it stored in a CSV file so I can have import into excel.

Here are a few search cmds I been trying but they either run on forever, giving huge total counts of clients that is radically different from the Deployment svr UI report (we should been in the ball park of a few hundred clients).

Attempts:
1) * | top limit=0 host | sort host (Reports false hostnames, runs forever even with time range set, total count not true)

2) host=*|stats distinct_count(host) by host (Reports false hostnames, very slow to run)

3) * | dedup host | stats count by host | sort host (Reports false hostnames, runs forever even with time range set, total count not true)

All dead-on examples would be much appreciated.

cheers,
Damon

Re: Create report listing all clients

lguinn2 — Tue, 06 May 2014 17:53:14 GMT

Try this to get a list of the hosts

index=_internal source=*metrics.log group=tcpin_connections 
| eval sourceHost=if(isnull(hostname), sourceHost,hostname) 
| eval connectionType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename  arch as MachineType
| fields connectionType sourceIp sourceHost  version MachineType
| dedup sourceIP

Getting a list of the deployed apps is not tricky, but it depends on the version of Splunk.
For Splunk 6, try this

index=_internal component=DeployedApplication OR component= PackageDownloadRestHandler  sourcetype=splunkd | dedup host app | table host app

Put them together:

index=_internal source=*metrics.log group=tcpin_connections 
| eval sourceHost=if(isnull(hostname), sourceHost,hostname) 
| eval connectionType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename  arch as MachineType
| fields connectionType sourceIp sourceHost  version MachineType
| dedup sourceIP
| rename sourceHost as host
| join type=outer host [ search index=_internal component=DeployedApplication OR component= PackageDownloadRestHandler  sourcetype=splunkd | dedup host app | table host app ]

Re: Create report listing all clients

damonmanni — Tue, 06 May 2014 20:02:35 GMT

Thanks for the quick response and multiple options and exactness.

I am running splunk V6 Enterprise.

The 1st option did not work for me at all: just kept churning but no results.

The 2nd option produced results but I got over 10,000 entries. Actual should be around 270 hosts.

The 3rd option (combined) did not run at all like #1. churns & no results

Still stuck.

Re: Create report listing all clients

lguinn2 — Tue, 06 May 2014 20:29:27 GMT

Sorry about that - I managed to cut and paste more than I intended for the second search.

What time range are you running for the first search?

Re: Create report listing all clients

mendesjo — Thu, 28 Jan 2016 18:01:32 GMT

I find that allot ... people with good intentions providing query's (that I'm gratefull saves allot of time) but many don't work..

Re: Create report listing all clients

yunkwang — Tue, 29 Sep 2020 10:41:05 GMT

Made minor updates of the answer to show forwarder types for all clients and make a table:

index=_internal source=metrics.log group=tcpin_connections fwdType= | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | eval connectionType=case(fwdType=="univ*","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder") | eval version=if(isnull(version),"pre 4.2",version) | rename arch as MachineType | dedup sourceIp | table connectionType,sourceIp,sourceHost,version,MachineType