Archive
Highlighted

how to determine the inputs to the Splunk environments from Search Head console

Path Finder

I have 3 indexers and 1 search head. From the search head is it possible any way to determine how many are the UF or Forwarders configured to my Splunk Architecture.

I am into an assignment and the individual previously working has left. Now I am totally messed up so as to determine howmuch and from where the data is pushed into Splunk environment.

Thanks.
Vikram.

Tags (1)
0 Karma
Highlighted

Re: how to determine the inputs to the Splunk environments from Search Head console

Splunk Employee
Splunk Employee

Look at the metadata command, over a given period it will show you what hosts are sending data to Splunk.

| metadata type=hosts index=*
| fields - firstTime,totalCount,type
| convert ctime(lastTime) ctime(recentTime)
| table host ageInSeconds lastTime recentTime

You can also use type=sourcetypes here and see relative sourcetypes.

See docs here : https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Metadata

Additionally, you can look at forwarder management on the DMC if you are using a more recent version and it will give you additional information such as topology and forwarder types coming in.

You can also look through _internal index and build from there..

View solution in original post

0 Karma