Archive

Is there a search to figure out which forwarder has which app?

Communicator

Hi,

I have a lot of forwarders. I want to make sure that the forwarders got the right app.
I did some searches but could not find anything related to my request.

Is there a Splunk search which shows a list with all forwarders and the installed app?

Thanks

Tags (2)
0 Karma
1 Solution

Ultra Champion

Each forwarder writes to it's splunkd.log under the DeployedApplication component, something like;

07-21-2012 12:01:22.267 +0300 INFO  DeployedApplication - Refreshed app: WinEvtSec for service class: AppsByMachineType from archive: C:\Program Files\SplunkUniversalForwarder\var\run\AppsByMachineType\WinEvtSec-1306487137.bundle

If you've forwarded the splunkd.log from the forwarder to the indexer, it should be found in the _internal index. Try searching for

index=_internal DeployedApplication | rex "\sapp:\s(?<DepApp>\S+)\s" | stats values(DepApp) by host

Hope this helps,

Kristian

View solution in original post

Influencer

You can find information about which forwarder downloaded a deployment app in Splunkd's access log on the deployment server:

index=_internal sourcetype="splunkd_access" uri_path=/services/streams/deployment | rex field=name ":(?<serverClass>.+?):(?<app>.+)" | table _time clientip serverClass app

Communicator

thank you as well! it worked also, but there was just one chance to give it a green tick, sorry but thank you!

0 Karma

Ultra Champion

Each forwarder writes to it's splunkd.log under the DeployedApplication component, something like;

07-21-2012 12:01:22.267 +0300 INFO  DeployedApplication - Refreshed app: WinEvtSec for service class: AppsByMachineType from archive: C:\Program Files\SplunkUniversalForwarder\var\run\AppsByMachineType\WinEvtSec-1306487137.bundle

If you've forwarded the splunkd.log from the forwarder to the indexer, it should be found in the _internal index. Try searching for

index=_internal DeployedApplication | rex "\sapp:\s(?<DepApp>\S+)\s" | stats values(DepApp) by host

Hope this helps,

Kristian

View solution in original post

Communicator

thank you very much, that worked great for my case! 🙂

0 Karma

Ultra Champion

oops. found a typo. fixed it. /k

0 Karma