Alerting

Where can I find the searches that power the Forwarder Management console?

daniel333
Builder

Hello,

Where can I find the searches that power the Forwarder Management console? I am looking to export and alert on failed hosts or partially deployed hosts.

thanks!
-Daniel

tskinner_splunk
Splunk Employee
Splunk Employee

I'm looking to grab the search that lists what hosts are within a particular serverclass. Any hints?

0 Karma

bandit
Motivator

This is a similar report (although missing the status of apps deployed) taken from another post which can be found here: http://answers.splunk.com/answers/206895/how-to-provide-a-status-of-a-forwarder-to-a-custom.html

index=_internal source=*metrics.log group=tcpin_connections
    | eval sourceHost=if(isnull(hostname), sourceHost,hostname)
    | rename connectionType as connectType
    | eval connectType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder")
    | eval version=if(isnull(version),"pre 4.2",version)
    | rename version as Ver arch as MachType
    | fields connectType sourceIp sourceHost destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server Ver MachType os
    | eval Indexer= splunk_server
    | eval Hour=relative_time(_time,"@h")
    | stats sum(kb) as total_KB by Hour connectType Ver sourceIp sourceHost MachType os Indexer destPort
    | fieldformat Hour=strftime(Hour,"%x %X") | fieldformat total_KB=tostring(total_KB,"commas") | rename os as OS
0 Karma

bandit
Motivator

I'm guessing these are rest API calls but I'll let you know if I track them down. Hidden searches/rest commands are always an annoyance to me. IMHO, Splunk should make all reports exportable and able to to open in a search window. The forwarder management report built into Splunk is a perfect example of this.

0 Karma

bandit
Motivator

This seems related, however, I haven't been able to determine the search/call that is assembled behind the scenes.

splunk/share/splunk/search_mrsparkle/exposed/js/views/deploymentserver
ClientsGridRow.html
ClientsGridRow.js
Clients.html
Clients.js

0 Karma

bandit
Motivator

This is another app you may want to take a look at that has reports/alerts for forwarders and sourcetypes.

https://apps.splunk.com/app/1294/

alt text

0 Karma
Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...