Deployment Architecture

Identify Number of Forwarders in Splunk environment

ramprakash
Explorer

Hello Everyone . I have one doubt. In the Splunk Architect, my organization is using..it is mentioned 4 forwarders with their server name. But when i am running any query i am seeing more than 50 hosts. Is it correct understanding that Number of Forwarders = Number of Hosts and how to check the correct result ?

0 Karma
1 Solution

MikeElliott
Communicator

The below logic will list all the forwarders in your deployment, versions, first/last seen, etc.

index=_internal source=*metrics.log group=tcpin_connections splunk_server=* 
| eval host=if(isnull(hostname), sourceHost,hostname) 
| search (host=*) AND (host!="(ALL)")
| eval connectionType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder") 
| eval Ver=if(isnull(version),"pre 4.2",version) 
| fields connectionType sourceIp host kb tcp_eps tcp_KBps splunk_server Ver
| stats min(_time) as first_time, max(_time) as last_time, max(tcp_KBps) as max_tcp_KBps, avg(tcp_KBps) as avg_tcp_KBps, avg(tcp_eps) as avg_tcp_eps, sum(kb) as sum_kb by host sourceIp Ver 
| dedup host
| eval sum_mb = round(sum_kb/1024,0) 
| fields - sum_kb 
| eval avg_tcp_KBps = round(avg_tcp_KBps,0)
| eval max_tcp_KBps = round(max_tcp_KBps,0)
| eval class=case(
avg_tcp_KBps>0 AND avg_tcp_KBps<=128, "Standard Hosts",
avg_tcp_KBps>128 AND avg_tcp_KBps<=256, "Better Hosts",
avg_tcp_KBps>256, "Special Hosts")
| convert ctime(*time) 
| rename first_time as "First seen", last_time as "Last seen", avg_tcp_KBps as "AVG KB/s", avg_tcp_eps as "AVG Events/s per 30 seconds", sum_mb as "Total MB", max_tcp_KBps as "Peak Kbps" connectionType AS "Forwarder Type" sourceIp as "Source IP" host AS "Host" Ver As "Splunk Version"
| sort - "Peak Kbps"

View solution in original post

0 Karma

MikeElliott
Communicator

The below logic will list all the forwarders in your deployment, versions, first/last seen, etc.

index=_internal source=*metrics.log group=tcpin_connections splunk_server=* 
| eval host=if(isnull(hostname), sourceHost,hostname) 
| search (host=*) AND (host!="(ALL)")
| eval connectionType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder") 
| eval Ver=if(isnull(version),"pre 4.2",version) 
| fields connectionType sourceIp host kb tcp_eps tcp_KBps splunk_server Ver
| stats min(_time) as first_time, max(_time) as last_time, max(tcp_KBps) as max_tcp_KBps, avg(tcp_KBps) as avg_tcp_KBps, avg(tcp_eps) as avg_tcp_eps, sum(kb) as sum_kb by host sourceIp Ver 
| dedup host
| eval sum_mb = round(sum_kb/1024,0) 
| fields - sum_kb 
| eval avg_tcp_KBps = round(avg_tcp_KBps,0)
| eval max_tcp_KBps = round(max_tcp_KBps,0)
| eval class=case(
avg_tcp_KBps>0 AND avg_tcp_KBps<=128, "Standard Hosts",
avg_tcp_KBps>128 AND avg_tcp_KBps<=256, "Better Hosts",
avg_tcp_KBps>256, "Special Hosts")
| convert ctime(*time) 
| rename first_time as "First seen", last_time as "Last seen", avg_tcp_KBps as "AVG KB/s", avg_tcp_eps as "AVG Events/s per 30 seconds", sum_mb as "Total MB", max_tcp_KBps as "Peak Kbps" connectionType AS "Forwarder Type" sourceIp as "Source IP" host AS "Host" Ver As "Splunk Version"
| sort - "Peak Kbps"
0 Karma

inventsekar
Super Champion

In the Splunk Architect, my organization is using..it is mentioned 4 forwarders with their server name.
i think, they are 4 heavy forwarders (or, maybe, 4 search heads or indexers)

But when i am running any query i am seeing more than 50 hosts.
probably, 50 hosts are the forwarders, that is correct. small/medium projects usually have around 50 forwarders.

Is it correct understanding that Number of Forwarders = Number of Hosts
Yes, to be more precisely,
Number of Forwarders = Number of Hosts Splunk monitors or gets the log files from.

and how to check the correct result ?
on the first answer, jbrocks updated 2 commands.

As you are a new user, you can upvote the answers, you can select an answer and "accept" it as the answer, so that this question will be moved to answered queue. Happy Splunking!

>>> Happy Splunking !
0 Karma

ramprakash
Explorer

I appreciated the answer but I don't have admin access to run these commands
I checked the architecture again and they are using 4 Universal forwarders. Is there any search query ? so that i can provide you the result.

0 Karma

gjanders
SplunkTrust
SplunkTrust
| tstats count where index=* groupby host

Might show you the hosts sending data in, it won't be exact but should give you an idea, if you use this version:

| tstats count where index=_* groupby host

You will see all the internal Splunk hosts by looking for internal logs...

0 Karma

jbrocks
Communicator

When you use a deployment server, you can list the deployment clients (servers/forwarders connected to this deployment server) on the command line with

splunk list deploy-clients
-> the type in your splunk user and password and you will get a list.

For simplicity you can do
splunk list deploy-clients | grep "dns"
-> which will only show the dns names of the listed deployment clients

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...