Hello Everyone - as we may all be aware of the date and time recognition issue in Splunk. I am looking a way to gather a list of all my Windows UFs then deploy the fixing app provided by Splunk. I have approx 1,200 Windows servers with UF installed. Have you already done this and any experience that you can share?
Really appreciate it.
Thanks Woodcock with that hint I now have a list of UFs with hostname/IP. It would be great if you can give some insights on steps to deploy the Splunk fix datetime app to all the UFs.
Sorry for the delay. Here is a good query that I don't know the source, but it works very well:
index=_internal source=*metrics.log group=tcpin_connections
| eval sourceHost=if(isnull(hostname), sourceHost,hostname)
| rename connectionType as connectType
| eval connectType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename version as Ver
| fields connectType sourceIp sourceHost destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server Ver
| eval Indexer= splunk_server
| eval Hour=relative_time(_time,"@h")
| dedup sourceIp
| stats avg(tcp_KBps) sum(tcp_eps) sum(tcp_Kprocessed) sum(kb) by Hour connectType sourceIp sourceHost destPort Indexer Ver
| fieldformat Hour=strftime(Hour,"%x %H")
There are several answers posts already on this and be sure to check out the page in the banner advertisement on answers (look at the top of this page), too: