Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get forwarder details with port

Mohsin123
Path Finder
‎02-13-2018 02:08 AM

Hi,

Can anyone help me with the query how to list the hosts with forwarder and port details .
Ex, which application has which hosts and whther they have forwarders installed or not?
If they have then , which forwarders are they pointing to with port details

Tags (1)
0 Karma
Reply

harsmarvania57
SplunkTrust
SplunkTrust
‎02-14-2018 12:43 AM

Hi,

Please try below query 

index=_internal source=*metrics.log group=tcpout_connections | stats values(destIp) AS HF_Splunk_Server, values(destPort) AS HF_Port by host

If you want to search for old HFs then you can filter out those using below query.

index=_internal source=*metrics.log group=tcpout_connections (destIp=<Old_HF1_IP> OR destIp=<Old_HF2_IP>) | stats values(destIp) AS HF_Splunk_Server, values(destPort) AS HF_Port by host
0 Karma
Reply

FrankVl
Ultra Champion
‎02-14-2018 12:43 AM

You can find the hosts that are sending to your old HFs with the following search:

index=_internal host=YOUR-OLDHFs source=*metrics.log group=tcpin_connections | stats count by hostname

This shows the metrics for incoming tcp connections on your HFs, listing the hostnames which will be the hosts sending into those tcp connections.

0 Karma
Reply

ansif
Motivator
‎02-13-2018 04:06 AM

Question is not clear. Do you mean to list hosts in your environment which has forwarders installed and not installed ? If UF is installed what you mean by ports details?

0 Karma
Reply

Mohsin123
Path Finder
‎02-14-2018 12:36 AM

Hi Ansif,

Let me clarify a bit ..
We have around 300 approx hosts which send data to splunk .
At those ends if forwarders are there , then in their outputs.conf file , our HFs are reporting .
we want them to change the details of HFs .
Now challenge is that few hosts already have our new HF details and few are pointing to the old ones that we are planning to decommision .
So , i found out list of hosts that send data to splunk by using below queries ...but how can i know which host have pointers to old HFs and which have pointers to new HFs . Can you please frame me a query to achieve this ?

My queries used are below :

index=_internal sourcetype=splunkd source=*metrics.log forwarder|eval forwarder=mvindex(split(source, "/"),-5)|chart values(forwarder) as FORWARDER by host

index=_internal |chart values(h) as HOST by idx

0 Karma
Reply
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...