topic Re: Unable to run certificate package version query for forwarders in Splunk Search

Why unable to run certificate package version query for forwarders?

x3ncrypt — Wed, 04 May 2022 15:44:17 GMT

Unable to perform the following search provided by Splunk to check forwarder certificate package version:

index=_internal source=*metrics.log group=tcpout_connections

name=splunkcloud*

| stats latest(_time) AS _time latest(name) AS name by host

| rex field=name "(?<output_group>splunkcloud_202[23456789]\d+)\_"

| eval fwd_config=if(isnotnull(output_group),“new”,“legacy”)

| stats count by _time host output_group fwd_config

| reltime

| fields _time reltime host output_group fwd_config

| sort 0 fwd_config

Re: Unable to run certificate package version query for forwarders

x3ncrypt — Wed, 04 May 2022 00:30:23 GMT

No errors are displayed after running the search, yet I receive no returned results.

Re: Unable to run certificate package version query for forwarders

isoutamo — Wed, 04 May 2022 09:01:08 GMT

you are running this towards Splunk Cloud environment (UFs' send data to SC) and you haven't change output_group names from what they have provided with UF configuration packages?

One change what you can do is

index=_internal source=*metrics.log group=tcpout_connections name=splunkcloud* | stats latest(_time) AS _time latest(name) AS name by host | rex field=name "(?<output_group>splunkcloud_202[23456789]\d+)\_" | eval fwd_config=if(isnotnull(output_group),"new","legacy") | fillnull value="N/A" output_group | stats count by _time host output_group fwd_config | reltime | fields _time reltime host output_group fwd_config | sort 0 fwd_config

So update output_group name to "N/A" if it's null (shouldn't be) after fwd_config has set.

Have you gotten any events when you runs only 1st line?

r. Ismo