https://community.splunk.com/t5/Splunk-Search/search-to-show-me-all-my-splunk-enterprise-devices/m-p/497482#M194808 <P>Hi net1993,</P> <P>if all of your Splunk Enterprise instances are configured using best practices then they forward their <CODE>_internal</CODE> logs to your indexer. This means you can search the <CODE>index=_internal</CODE> for these instances like this:</P> <PRE><CODE>index=_internal sourcetype=splunkd fwdType=full </CODE></PRE> <P>Hope this helps ...</P> <P>cheers, MuS</P> Wed, 29 Jan 2020 08:01:13 GMT MuS 2020-01-29T08:01:13Z https://community.splunk.com/t5/Splunk-Search/search-to-show-me-all-my-splunk-enterprise-devices/m-p/497480#M194806 <P>Hi<BR /> Is there a search in splunk which I can run from search head which will show me all splunk enterprise devices?</P> Wed, 29 Jan 2020 07:42:07 GMT https://community.splunk.com/t5/Splunk-Search/search-to-show-me-all-my-splunk-enterprise-devices/m-p/497480#M194806 net1993 2020-01-29T07:42:07Z https://community.splunk.com/t5/Splunk-Search/search-to-show-me-all-my-splunk-enterprise-devices/m-p/497481#M194807 <P>Hi @net1993,<BR /> what do you mean with "splunk enterprise devices"?<BR /> if you mean Splunk Enterprise components (Search Heads, Indexers, Heavy Forwarders Universal Forwarders, and the other roles, you can configure and use Monitor Console [Settings -- Monitor Console].</P> <P>You can also have an idea with a simple search <CODE>index=_internal | stats count BY host</CODE> because in this way you have the internal logs of all Splunk components, but you cannot separate Universal Forwarders from the others.</P> <P>Ciao.<BR /> Giuseppe</P> Wed, 29 Jan 2020 07:57:56 GMT https://community.splunk.com/t5/Splunk-Search/search-to-show-me-all-my-splunk-enterprise-devices/m-p/497481#M194807 gcusello 2020-01-29T07:57:56Z https://community.splunk.com/t5/Splunk-Search/search-to-show-me-all-my-splunk-enterprise-devices/m-p/497482#M194808 <P>Hi net1993,</P> <P>if all of your Splunk Enterprise instances are configured using best practices then they forward their <CODE>_internal</CODE> logs to your indexer. This means you can search the <CODE>index=_internal</CODE> for these instances like this:</P> <PRE><CODE>index=_internal sourcetype=splunkd fwdType=full </CODE></PRE> <P>Hope this helps ...</P> <P>cheers, MuS</P> Wed, 29 Jan 2020 08:01:13 GMT https://community.splunk.com/t5/Splunk-Search/search-to-show-me-all-my-splunk-enterprise-devices/m-p/497482#M194808 MuS 2020-01-29T08:01:13Z https://community.splunk.com/t5/Splunk-Search/search-to-show-me-all-my-splunk-enterprise-devices/m-p/497483#M194809 <P>If you're referring to Splunk Enterprise instances as well as Forwarders, you might want to take a look into the <A href="https://docs.splunk.com/Documentation/Splunk/8.0.1/DMC/DMCoverview">Monitoring Console</A> as it offers all of that. If you want those dashbaords combined, just steal that SPL and put it in your own dashboard as many of those searches are simply searching through the _internal index of Splunk.</P> <P>Skalli</P> Wed, 29 Jan 2020 08:13:44 GMT https://community.splunk.com/t5/Splunk-Search/search-to-show-me-all-my-splunk-enterprise-devices/m-p/497483#M194809 skalliger 2020-01-29T08:13:44Z https://community.splunk.com/t5/Splunk-Search/search-to-show-me-all-my-splunk-enterprise-devices/m-p/497484#M194810 <P>Oh, I was too slow <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Wed, 29 Jan 2020 08:14:01 GMT https://community.splunk.com/t5/Splunk-Search/search-to-show-me-all-my-splunk-enterprise-devices/m-p/497484#M194810 skalliger 2020-01-29T08:14:01Z