Alerting

Where can I find the searches that power the Forwarder Management console?

daniel333
Builder

Hello,

Where can I find the searches that power the Forwarder Management console? I am looking to export and alert on failed hosts or partially deployed hosts.

thanks!
-Daniel

tskinner_splunk
Splunk Employee
Splunk Employee

I'm looking to grab the search that lists what hosts are within a particular serverclass. Any hints?

0 Karma

bandit
Motivator

This is a similar report (although missing the status of apps deployed) taken from another post which can be found here: http://answers.splunk.com/answers/206895/how-to-provide-a-status-of-a-forwarder-to-a-custom.html

index=_internal source=*metrics.log group=tcpin_connections
    | eval sourceHost=if(isnull(hostname), sourceHost,hostname)
    | rename connectionType as connectType
    | eval connectType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder")
    | eval version=if(isnull(version),"pre 4.2",version)
    | rename version as Ver arch as MachType
    | fields connectType sourceIp sourceHost destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server Ver MachType os
    | eval Indexer= splunk_server
    | eval Hour=relative_time(_time,"@h")
    | stats sum(kb) as total_KB by Hour connectType Ver sourceIp sourceHost MachType os Indexer destPort
    | fieldformat Hour=strftime(Hour,"%x %X") | fieldformat total_KB=tostring(total_KB,"commas") | rename os as OS
0 Karma

bandit
Motivator

I'm guessing these are rest API calls but I'll let you know if I track them down. Hidden searches/rest commands are always an annoyance to me. IMHO, Splunk should make all reports exportable and able to to open in a search window. The forwarder management report built into Splunk is a perfect example of this.

0 Karma

bandit
Motivator

This seems related, however, I haven't been able to determine the search/call that is assembled behind the scenes.

splunk/share/splunk/search_mrsparkle/exposed/js/views/deploymentserver
ClientsGridRow.html
ClientsGridRow.js
Clients.html
Clients.js

0 Karma

bandit
Motivator

This is another app you may want to take a look at that has reports/alerts for forwarders and sourcetypes.

https://apps.splunk.com/app/1294/

alt text

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...