Deployment Architecture

Forwarder managament - How to list only servers with 0 apps deployed

Anonymous
Not applicable

Hi all.

In our enviroment the uForwarder gets automatic installed when a new server is entering the domain.
And from there we pick it up in our Deployment server. But this has to be done manually.
Some days there are 0 new servers and some days there are several.

I have looked in different logs, but I can only find logs from servers with a Server Class or an App.

Command:
/opt/splunk/bin/splunk list deploy-clients
Wil show all the clients even thos with 0 deployed apps.

The only place i have found it written is in:
/opt/splunk/var/log/splunk/splunkd.log

Like this:
xx.xx.xx.xxx - - [12/Jul/2019:12:30:59.128 +0100] "POST services/broker/phonehome/connection_xx.xx.xx.xxx_port_hostname.domain_hostname_UNIQUE ID HTTP/1.1" 200 616 - - - 1ms

Question:
is this the only place outside the website I can find a new server added to the deployment server?

0 Karma

jkat54
SplunkTrust
SplunkTrust

If you open the deployment servers UI and go to settings -> forwarder management -> click the clients tab. Here you see all clients and if you click on the > next to their name it will show list installed apps. On right side there will be number of installed apps on each client.

0 Karma

Anonymous
Not applicable

Thanks for the quick response.
We have used this option for a while now.
But we need to check it daily, and I would hope I could make a search in splunk to notify when a new uforwarder appeared in Deployment.

0 Karma

jkat54
SplunkTrust
SplunkTrust

If you look at your job history after opening that view on the DS, you will see the search that is executed to create that view

0 Karma

Anonymous
Not applicable

Thnk you, I wil try this.

0 Karma

jkat54
SplunkTrust
SplunkTrust

this gets you close:

| rest /services/deployment/server/clients/ | table dns applications*action | transpose 0 | foreach column [eval Application=<<FIELD>>] | rex mode=sed field=Application "s/(applications\.)|(\.action)//g" | transpose 0 | rename "row 1" as "DNS" | foreach row* [ eval <<FIELD>>='<<FIELD>>']
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...