topic Re: Definitive way to determine whether or not a machine is communicating with Splunk whether Windows or Unix? in Knowledge Management

Definitive way to determine whether or not a machine is communicating with Splunk whether Windows or Unix?

infra2sec — Fri, 29 Jul 2016 14:27:47 GMT

Does anyone know how to generally quantify within a report or otherwise whether or not a system with an OS of any type is communicating with Splunk? I am sure that routers will be involved with my quest as well.

Thanks in advance.

Re: Definitive way to determine whether or not a machine is communicating with Splunk whether Windows or Unix?

twinspop — Fri, 29 Jul 2016 14:35:07 GMT

index=_internal  component=Metrics group=tcpin_connections

Those logs contain version and OS info. Slice and dice with stats as needed.

EDIT: Something like this, where _time will be the last time it logged:

EDIT EDIT: changed host to hostname (duh)

index=_internal  component=Metrics group=tcpin_connections | stats latest(_time) as _time latest(build) as Build latest(version) as SplunkVersion latest(os) as OS latest(fwdType) as SplunkType values(lastIndexer) as Indexers by hostname

Re: Definitive way to determine whether or not a machine is communicating with Splunk whether Windows or Unix?

lycollicott — Fri, 29 Jul 2016 14:38:31 GMT

index=_internal component=HttpPubSubConnection | table host | dedup host | sort host