topic Re: How can I produce a report which lists out all the devices reporting to Splunk? in Splunk Search

How can I produce a report which lists out all the devices reporting to Splunk?

vermicknid — Tue, 24 Sep 2013 19:27:57 GMT

Forgive my newbieness - I've tried doing this with:

| metadata type=sourcetypes index="*"

but the output is difficult to interpret, let alone decipher for each thing that is sending data. Is there a way to just do a search to return a list like "Cisco Netflow devices = x, Windows server sources = y" with those numbers just being a sum of those types?

The reason I ask is that a lot of the data feeding into our systems now was done prior to my arriving on the scene, and to be honest, I have no idea of the total scope of devices reporting into Splunk. I'd just like to total up how many of each type there are and have it be readable.

Thanks in advance!

Michael

Re: How can I produce a report which lists out all the devices reporting to Splunk?

wrangler2x — Tue, 24 Sep 2013 20:49:15 GMT

By "devices reporting to splunk" I take it you mean forwarders. If so, this search will show all the forwarders that have contacted the splunk indexer in a given time frame (use the drop-down menu to select, say, last 24 hours).

index=_internal source="/opt/splunk/var/log/splunk/metrics.log*" sourcetype="splunkd" fwdType="*" | dedup sourceHost|table sourceHost, hostname, fwdType, guid, os, arch

        sourceHost      host    fwdType guid                                    os      arch
1       xxx.xxx.xx.28   SERV01  full    A66CB486-6158-4E85-AFA5-D7EED69230F3    Windows x64
2       xxx.xxx.xx.81   MBSX    full    656C9C0C-A7EA-4FE0-8890-CB3178026598    Windows x64
3       xxx.xxx.xx.80   CASIO2  full    728C36E5-3511-4449-9440-4244F84C85B8    Windows x64
6       xxx.xxx.xx.24   MBS444  full    41872E63-6FAB-4050-85CC-6EDC5FEA21A4    Windows x64
8       xxx.xxx.xx.185  logger  full    ECB32768-B062-47DC-B652-34D79B6B2B45    SunOS   sun4v

guid is a unique id for each forwarder. You can modify the search to leave details out you don't need.

Re: How can I produce a report which lists out all the devices reporting to Splunk?

vermicknid — Tue, 24 Sep 2013 20:51:17 GMT

Completely and totally awesome, wrangler2x! That does exactly what I need. I wouldn't have even known where to look! Good thing I'm going to .conf next week! 🙂

Thanks again!

Re: How can I produce a report which lists out all the devices reporting to Splunk?

wrangler2x — Wed, 01 Jul 2015 22:08:14 GMT

If you are running Deployment Monitor you'll have an index called summary_forwarders which would let you use this alternate search:

index="summary_forwarders" NOT sourceHost="127.0.0.1" | stats count by sourceHost sourceIp connectionType version build lastConnected  | eval lastConnected=strftime(lastConnected,"%m/%d/%Y %H:%M:%S") | fields sourceHost sourceIp connectionType version build lastConnected | dedup 1 sourceHost sortby -lastConnected | eval sourceHost=lower(sourceHost) | sort sourceHost

Re: How can I produce a report which lists out all the devices reporting to Splunk?

wrangler2x — Wed, 01 Jul 2015 22:25:27 GMT

Also try this next one, below. 🙂

Re: How can I produce a report which lists out all the devices reporting to Splunk?

wrangler2x — Wed, 01 Jul 2015 22:26:56 GMT

Here is a sample of the output:

sourceHost              sourceIp        connectionType  version build   lastConnected
abs-acct.xyz.uci.edu    xxx.xxx.141.250 heavy forwarder 6.1.4   233537  07/01/2015 14:59:59
abs-dc01.xyz.uci.edu    xxx.xxx.140.110 heavy forwarder 6.1.4   233537  07/01/2015 14:59:59
abs-dc02.xyz.uci.edu    xxx.xxx.219.220 heavy forwarder 6.1.4   233537  07/01/2015 14:59:59
acserver.mmd.uci.edu    xxx.xxx.114.50  heavy forwarder 6.1.4   233537  07/01/2015 14:59:59
ad-saturn-db01          xxx.xxx.77.68   heavy forwarder 6.2.0   237341  07/01/2015 14:59:59
ad-docushare09          xxx.xxx.217.116 heavy forwarder 6.2.0   237341  07/01/2015 14:59:59
nessus                  xxx.xxx.140.3   heavy forwarder 5.0.2   149561  07/01/2015 14:59:59
ad-juno-db01            xxx.xxx.142.85  heavy forwarder 6.2.0   237341  07/01/2015 14:59:59
ticklab-prd             xxx.xxx.109.135 heavy forwarder 6.2.0   237341  07/01/2015 14:59:59
cas2010                 xxx.xxx.73.114  heavy forwarder 6.1.4   233537  07/01/2015 14:59:59