topic How to get the forwarder IP address reproting to splunk in Splunk Search

How to get the forwarder IP address reproting to splunk

kteng2024 — Tue, 09 Jan 2018 19:35:46 GMT

Hello,

Can i please know how to get the all forwarders IP addresses that a reporting to splunk without use of internal index as some of the users don't have access to the internal data . Therefore, searches created with index=_internal will not work for those people. Is there anyway to create the search without of the use of that to get the all forwarders IP's ?

Re: How to get the forwarder IP address reproting to splunk

JDukeSplunk — Tue, 09 Jan 2018 19:39:37 GMT

I use this as a saved search and have it Run As "owner".

index=_internal source=*metrics.log* group=tcpin_connections | regex hostname!="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | eval sos_server=hostname | stats latest(sourceIp) AS IP latest(arch) AS cpu_arch latest(fwdType) AS forwarder_type latest(os) AS os_name latest(version) AS version  by sos_server

Re: How to get the forwarder IP address reproting to splunk

gcusello — Tue, 09 Jan 2018 19:41:32 GMT

Hi kteng2024,
you could create a scheduled search and put results in a lookup using outputlookup command.
In this way users with no access to _internal can have the result.
Bye.
Giuseppe

Re: How to get the forwarder IP address reproting to splunk

micahkemp — Tue, 09 Jan 2018 19:42:01 GMT

You can create a dashboard that makes use of a savedsearch configured to run as the owner of the savedsearch, even if the users accessing the dashboard don't have permission to search _internal.

This recent answers post explains the concept.

Re: How to get the forwarder IP address reproting to splunk

mayurr98 — Tue, 09 Jan 2018 19:50:04 GMT

hey @kteng2024

Try this

  | rest /services/deployment/server/clients  | table dns ip  | rename ip as forwarder_ip

let me know if this helps!

Re: How to get the forwarder IP address reproting to splunk

somesoni2 — Tue, 09 Jan 2018 20:30:35 GMT

Best way would be to have a saved search, owned by your/splunk admin, which queries that data from _internal index and puts it to, 1) a lookup table, if number of clients is smaller (<10k), 2) summary index, for larger number of clients, make sure regular user have access to this summary index.

Re: How to get the forwarder IP address reproting to splunk

somesoni2 — Tue, 09 Jan 2018 20:33:07 GMT

This would be a great method for admins to know the requested information. This REST endpoint is only available from Deployment server (unless Deployment server is added as search peer to search head). Furthermore, capability of running REST queries may not be available to regular users (depends upon authorization settings), making is less feasible.

Re: How to get the forwarder IP address reproting to splunk

lenrigodoy — Thu, 16 Dec 2021 20:17:58 GMT

Thank you, that was I want to use to recognize some UF that we use to forward data to our ES environment and aren't under my administration.