Splunk search to find the traffic of Heavy Forwarders reporting with their IP address?

Roy_9 — Tue, 20 Jun 2023 05:32:15 GMT

Hello,

Can someone please help me with the Splunk search to find the list of Heavy Forwarders reporting with their IP address?

thanks

Re: Splunk query to find the traffic of Heavy Forwarders reporting with their IP address

gcusello — Fri, 16 Jun 2023 15:55:26 GMT

if you go in the Monitoring Console at [Forwarders > Forwarders Deployment] you have the list of each Forwarder sending logs to your Splunk with the indication of the Forwarder Type (Universal or Heavy) that you can use to filter results.

Ciao.

Giuseppe

Re: Splunk query to find the traffic of Heavy Forwarders reporting with their IP address

Roy_9 — Sat, 17 Jun 2023 21:07:04 GMT

Can you also help me with a search to run this on SH, I saw DMC is not set up in our environment.

Re: Splunk query to find the traffic of Heavy Forwarders reporting with their IP address

gcusello — Sun, 18 Jun 2023 09:25:52 GMT

Hi @Roy_9,

it's very strange, because MC is a very useful tool to monitor your Splunk infrastructure!

It's usually available on not clustered Search Heads or on Master Node.

Anyway,

this is the search to have all the Forwarders:

it takes data from a lookup that is alimented by the following scheduled search:

index=_internal sourcetype=splunkd group=tcpin_connections (connectionType=cooked OR connectionType=cookedSSL) fwdType=* guid=* | stats values(fwdType) as forwarder_type, latest(version) as version, values(arch) as arch, values(os) as os, max(_time) as last_connected, sum(kb) as new_sum_kb, sparkline(avg(tcp_KBps), 1m) as new_avg_tcp_kbps_sparkline, avg(tcp_KBps) as new_avg_tcp_kbps, avg(tcp_eps) as new_avg_tcp_eps by guid, hostname | inputlookup append=true dmc_forwarder_assets | stats values(forwarder_type) as forwarder_type, max(version) as version, values(arch) as arch, values(os) as os, max(last_connected) as last_connected, values(new_sum_kb) as sum_kb, values(new_avg_tcp_kbps_sparkline) as avg_tcp_kbps_sparkline, values(new_avg_tcp_kbps) as avg_tcp_kbps, values(new_avg_tcp_eps) as avg_tcp_eps by guid, hostname | addinfo | eval status = if(isnull(sum_kb) or (sum_kb <= 0) or (last_connected < (info_max_time - 900)), "missing", "active") | eval sum_kb = round(sum_kb, 2) | eval avg_tcp_kbps = round(avg_tcp_kbps, 2) | eval avg_tcp_eps = round(avg_tcp_eps, 2) | fields guid, hostname, forwarder_type, version, arch, os, status, last_connected, sum_kb, avg_tcp_kbps_sparkline, avg_tcp_kbps, avg_tcp_eps | outputlookup dmc_forwarder_assets

so merging the above searches you can have your list.

Ciao.

Giuseppe

Re: Splunk query to find the traffic of Heavy Forwarders reporting with their IP address

Roy_9 — Sat, 01 Jul 2023 04:43:44 GMT

Thanks a lot @gcusello

topic Splunk search to find the traffic of Heavy Forwarders reporting with their IP address? in Splunk Search

Splunk search to find the traffic of Heavy Forwarders reporting with their IP address?

Re: Splunk query to find the traffic of Heavy Forwarders reporting with their IP address

Re: Splunk query to find the traffic of Heavy Forwarders reporting with their IP address

Re: Splunk query to find the traffic of Heavy Forwarders reporting with their IP address

Re: Splunk query to find the traffic of Heavy Forwarders reporting with their IP address