https://community.splunk.com/t5/Getting-Data-In/Splunk-query-to-fetch-Heavy-forwarder-s-Hardware-specifications/m-p/472341#M81179 <P>Your join doesn't have a field to join on, such as the host name of your HFs.</P> <P>Even better, don't use join if all you want is to filter one search by another search:</P> <PRE><CODE>generating search for your hardware stuff [search for your HFs | dedup hostname | table hostname | rename hostname as host] | rex, extract, table, whatever </CODE></PRE> Tue, 24 Dec 2019 12:57:45 GMT martin_mueller 2019-12-24T12:57:45Z https://community.splunk.com/t5/Getting-Data-In/Splunk-query-to-fetch-Heavy-forwarder-s-Hardware-specifications/m-p/472340#M81178 <P>Hi Splunkers,</P> <P>I am still a beginner, trying to write a query to fetch splunk heavy forwarder's cpu, memory usage and other hardware related stuff. With the below query i am not able to fetch the correct values for Heavy forwarders(see below results). So, could anyone please help me to resolve this issue. </P> <P>Query: <CODE>internal</CODE> host=<EM>spi</EM> source="/opt/splunk/var/log/splunk/metrics.log" fwdType=full | dedup hostname | table hostname | join type=left [search index = * sourcetype=nix:hardware host=* | rex mode=sed "s/\s\s+/=/g" | extract kvdelim="=" pairdelim="\n" ] |table hostname,CPU_TYPE,CPU_COUNT,MEMORY_REAL</P> <P>Results: Same values being replicated for all Hfs which is incorrect</P> <P>Host CPU_TYPE CPU_COUNT MEMORY_REAL<BR /> HF 1 Intel(R) Xeon(R) @ 2.70GHz 12 24504164 kB<BR /><BR /> HF 2 Intel(R) Xeon(R) @2.70GHz 12 24504164 kB<BR /><BR /> HF 3 Intel(R) Xeon(R) @2.70GHz 12 24504164 kB</P> <P>HF n Intel(R) Xeon(R) @ 2.70GHz 12 24504164 kB </P> Wed, 30 Sep 2020 03:28:58 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-query-to-fetch-Heavy-forwarder-s-Hardware-specifications/m-p/472340#M81178 swamysanjanaput 2020-09-30T03:28:58Z https://community.splunk.com/t5/Getting-Data-In/Splunk-query-to-fetch-Heavy-forwarder-s-Hardware-specifications/m-p/472341#M81179 <P>Your join doesn't have a field to join on, such as the host name of your HFs.</P> <P>Even better, don't use join if all you want is to filter one search by another search:</P> <PRE><CODE>generating search for your hardware stuff [search for your HFs | dedup hostname | table hostname | rename hostname as host] | rex, extract, table, whatever </CODE></PRE> Tue, 24 Dec 2019 12:57:45 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-query-to-fetch-Heavy-forwarder-s-Hardware-specifications/m-p/472341#M81179 martin_mueller 2019-12-24T12:57:45Z https://community.splunk.com/t5/Getting-Data-In/Splunk-query-to-fetch-Heavy-forwarder-s-Hardware-specifications/m-p/472342#M81180 <P>The easiest way (AND FREE) is to enable <CODE>platform instrumentation</CODE> which will start populating the <CODE>_introspection</CODE> index (disabled by default) by following these steps:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/ConfigurePIF">http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/ConfigurePIF</A></P> <P>Then search like this:</P> <PRE><CODE>index="_introspection" AND sourcetype="splunk_resource_usage" </CODE></PRE> <P>Here are some other ways, too:<BR /> <A href="https://answers.splunk.com/answers/423998/is-there-an-easy-way-to-get-resource-usage-per-spl.html">https://answers.splunk.com/answers/423998/is-there-an-easy-way-to-get-resource-usage-per-spl.html</A></P> Tue, 24 Dec 2019 19:20:36 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-query-to-fetch-Heavy-forwarder-s-Hardware-specifications/m-p/472342#M81180 woodcock 2019-12-24T19:20:36Z