Deployment Architecture

How to search for Windows host with UF agent installed and push datetime.xml fix app?

Contributor

Hello Everyone - as we may all be aware of the date and time recognition issue in Splunk. I am looking a way to gather a list of all my Windows UFs then deploy the fixing app provided by Splunk. I have approx 1,200 Windows servers with UF installed. Have you already done this and any experience that you can share?

Really appreciate it.

0 Karma
1 Solution

Esteemed Legend

The details are here, if you are using Deployment Server:

index=_* phonehome

View solution in original post

Esteemed Legend

The details are here, if you are using Deployment Server:

index=_* phonehome

View solution in original post

Contributor

Thanks Woodcock with that hint I now have a list of UFs with hostname/IP. It would be great if you can give some insights on steps to deploy the Splunk fix datetime app to all the UFs.

Thanks,

Esteemed Legend

Come back here and post your whole search as a comment here for others to use.

0 Karma

Contributor

Sorry for the delay. Here is a good query that I don't know the source, but it works very well:
index=_internal source=*metrics.log group=tcpin_connections
| eval sourceHost=if(isnull(hostname), sourceHost,hostname)
| rename connectionType as connectType
| eval connectType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename version as Ver
| fields connectType sourceIp sourceHost destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server Ver
| eval Indexer= splunk_server
| eval Hour=relative_time(_time,"@h")
| dedup sourceIp
| stats avg(tcp_KBps) sum(tcp_eps) sum(tcp_Kprocessed) sum(kb) by Hour connectType sourceIp sourceHost destPort Indexer Ver
| fieldformat Hour=strftime(Hour,"%x %H")

0 Karma

Esteemed Legend

There are several answers posts already on this and be sure to check out the page in the banner advertisement on answers (look at the top of this page), too:
https://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/FixDatetimexml2020

0 Karma