Re: Decode indexer name hashes (GUID) from licens...

Spelunke · ‎01-02-2012

In license_usage.log the indexers appears as a kind of hash value (i=...):

01-02-2012 16:56:16.516 +0100 INFO  LicenseUsage - type=Usage s="udp:514" st="cisco_asa" h="172.16.22.7" o="" i="821C72AB-3C16-4124-B278-6C02F448DC22" pool="mypool" b=17906 poolsz=100000

For reporting I want to look up the real names of the indexers. Is there an internal lookup table for doing this?

Update: This field is the GUID of the system. But how to lookup the system name?

cyvi01 · ‎08-27-2021

For Splunk 7 & 8 at least:

To get the daily ingestion per indexer with the hostname rather than the GUID following your time range picker selection.

index=_telemetry source=*license_usage_summary.log* type="RolloverSummary"
| join type=inner slave [ | rest /servicesNS/-/-/search/distributed/peers splunk_server=local | table guid host | rename guid AS slave ]
| search host=*PATTERN*
| timechart span=1d eval(round(latest(b) / 1024 / 1024 / 1024, 3)) AS sizeGB BY host useother=f

Replace PATTERN by your indexers hostname convention.

mlf · ‎05-25-2018

Assuming Splunk 6.x or better:

| rest /services/cluster/config 
| fields splunk_server guid

Jason · ‎02-23-2015

Provided the indexers in question are also peers of this particular search head, you can join with this REST query from any, not just the license master:

rest /services/search/distributed/peers 
| table guid peerName

rphillips_splk · ‎08-14-2017

don't forget the | before rest.
|rest /services/search/distributed/peers | table guid peerName

Jason · ‎04-29-2013

Yes, you can look up the hostname of the licenser slave in 4.3+ via the following:

Be sure to select a type of log in license_usage.log to avoid double-counting statistics.

index=_internal source=*license_usage.log type=Usage
| join type=left i 
    [rest count=0 /services/licenser/slaves 
    | rename label as slave 
    | rename title as i 
    | table i slave]

The new "slave" field (or whatever you choose to rename label as) will now appear in the results.

Jason · ‎04-29-2013

Remember you can just browse https://splunkinstance:8089 with a browser, and look for interesting things.

sowings · ‎04-29-2013

Clever. I'll have to remember this endpoint.

gmti · ‎04-10-2013

I'm sorry, but this is a lousy way to present information back to administrators during a rolling restart. You can't ping based on an indexer's Guid, you can't ssh to a Guid, you can't use the Guid in your web browser, so if there is a problem with an indexer in the cluster resolve it yourself. I brought this issue up with Splunk Professional Services and our sales engineers. I guess Splunk wanted to add back a little of the SH they have been taking out of IT.

Jason · ‎04-29-2013

This feedback would be better off as a Enhancement Request to Splunk (a P4 to Splunk Support), rather than on here where they may not see it.

sowings · ‎02-05-2013

| rest /services/configs/conf-server/general

If you want to look for a specific server by its hostname, you can add splunk_server=<name> to the end of that search.

sowings · ‎04-29-2013

No; it only polls search peers by default. I suppose you could try splunk_server=<license_master> to the rest call, but that presumes that you have access to the license master itself.

Jason · ‎04-29-2013

This does not display all the license slaves, it seems.

Spelunke · ‎02-25-2012

To answer my own question:

According to a Splunk guy it’s not possible to lookup the GUID internally.

I build a external lookup table to do that.

Jason · ‎04-29-2013

It is possible with the rest command, available in 4.3 onwards. See my answer.

Decode indexer name hashes (GUID) from license_usage.log

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)