Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Forwarder managament - How to list only servers with 0 apps deployed

Anonymous
Not applicable
‎07-12-2019 04:44 AM

Hi all.

In our enviroment the uForwarder gets automatic installed when a new server is entering the domain.
And from there we pick it up in our Deployment server. But this has to be done manually.
Some days there are 0 new servers and some days there are several.

I have looked in different logs, but I can only find logs from servers with a Server Class or an App.

Command:
/opt/splunk/bin/splunk list deploy-clients
Wil show all the clients even thos with 0 deployed apps.

The only place i have found it written is in:
/opt/splunk/var/log/splunk/splunkd.log

Like this:
xx.xx.xx.xxx - - [12/Jul/2019:12:30:59.128 +0100] "POST services/broker/phonehome/connection_xx.xx.xx.xxx_port_hostname.domain_hostname_UNIQUE ID HTTP/1.1" 200 616 - - - 1ms

Question:
is this the only place outside the website I can find a new server added to the deployment server?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-12-2019 04:52 AM

If you open the deployment servers UI and go to settings -> forwarder management -> click the clients tab. Here you see all clients and if you click on the > next to their name it will show list installed apps. On right side there will be number of installed apps on each client.

0 Karma
Reply

Anonymous
Not applicable
‎07-12-2019 05:01 AM

Thanks for the quick response.
We have used this option for a while now.
But we need to check it daily, and I would hope I could make a search in splunk to notify when a new uforwarder appeared in Deployment.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-12-2019 05:17 AM

If you look at your job history after opening that view on the DS, you will see the search that is executed to create that view

0 Karma
Reply

Anonymous
Not applicable
‎07-12-2019 05:33 AM

Thnk you, I wil try this.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-12-2019 07:01 AM

this gets you close:

| rest /services/deployment/server/clients/ | table dns applications*action | transpose 0 | foreach column [eval Application=<<FIELD>>] | rex mode=sed field=Application "s/(applications\.)|(\.action)//g" | transpose 0 | rename "row 1" as "DNS" | foreach row* [ eval <<FIELD>>='<<FIELD>>']
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...