Deployment Architecture

Identify Number of Forwarders in Splunk environment

ramprakash
Explorer

Hello Everyone . I have one doubt. In the Splunk Architect, my organization is using..it is mentioned 4 forwarders with their server name. But when i am running any query i am seeing more than 50 hosts. Is it correct understanding that Number of Forwarders = Number of Hosts and how to check the correct result ?

0 Karma
1 Solution

MikeElliott
Communicator

The below logic will list all the forwarders in your deployment, versions, first/last seen, etc.

index=_internal source=*metrics.log group=tcpin_connections splunk_server=* 
| eval host=if(isnull(hostname), sourceHost,hostname) 
| search (host=*) AND (host!="(ALL)")
| eval connectionType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder") 
| eval Ver=if(isnull(version),"pre 4.2",version) 
| fields connectionType sourceIp host kb tcp_eps tcp_KBps splunk_server Ver
| stats min(_time) as first_time, max(_time) as last_time, max(tcp_KBps) as max_tcp_KBps, avg(tcp_KBps) as avg_tcp_KBps, avg(tcp_eps) as avg_tcp_eps, sum(kb) as sum_kb by host sourceIp Ver 
| dedup host
| eval sum_mb = round(sum_kb/1024,0) 
| fields - sum_kb 
| eval avg_tcp_KBps = round(avg_tcp_KBps,0)
| eval max_tcp_KBps = round(max_tcp_KBps,0)
| eval class=case(
avg_tcp_KBps>0 AND avg_tcp_KBps<=128, "Standard Hosts",
avg_tcp_KBps>128 AND avg_tcp_KBps<=256, "Better Hosts",
avg_tcp_KBps>256, "Special Hosts")
| convert ctime(*time) 
| rename first_time as "First seen", last_time as "Last seen", avg_tcp_KBps as "AVG KB/s", avg_tcp_eps as "AVG Events/s per 30 seconds", sum_mb as "Total MB", max_tcp_KBps as "Peak Kbps" connectionType AS "Forwarder Type" sourceIp as "Source IP" host AS "Host" Ver As "Splunk Version"
| sort - "Peak Kbps"

View solution in original post

0 Karma

MikeElliott
Communicator

The below logic will list all the forwarders in your deployment, versions, first/last seen, etc.

index=_internal source=*metrics.log group=tcpin_connections splunk_server=* 
| eval host=if(isnull(hostname), sourceHost,hostname) 
| search (host=*) AND (host!="(ALL)")
| eval connectionType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder") 
| eval Ver=if(isnull(version),"pre 4.2",version) 
| fields connectionType sourceIp host kb tcp_eps tcp_KBps splunk_server Ver
| stats min(_time) as first_time, max(_time) as last_time, max(tcp_KBps) as max_tcp_KBps, avg(tcp_KBps) as avg_tcp_KBps, avg(tcp_eps) as avg_tcp_eps, sum(kb) as sum_kb by host sourceIp Ver 
| dedup host
| eval sum_mb = round(sum_kb/1024,0) 
| fields - sum_kb 
| eval avg_tcp_KBps = round(avg_tcp_KBps,0)
| eval max_tcp_KBps = round(max_tcp_KBps,0)
| eval class=case(
avg_tcp_KBps>0 AND avg_tcp_KBps<=128, "Standard Hosts",
avg_tcp_KBps>128 AND avg_tcp_KBps<=256, "Better Hosts",
avg_tcp_KBps>256, "Special Hosts")
| convert ctime(*time) 
| rename first_time as "First seen", last_time as "Last seen", avg_tcp_KBps as "AVG KB/s", avg_tcp_eps as "AVG Events/s per 30 seconds", sum_mb as "Total MB", max_tcp_KBps as "Peak Kbps" connectionType AS "Forwarder Type" sourceIp as "Source IP" host AS "Host" Ver As "Splunk Version"
| sort - "Peak Kbps"
0 Karma

inventsekar
Ultra Champion

In the Splunk Architect, my organization is using..it is mentioned 4 forwarders with their server name.
i think, they are 4 heavy forwarders (or, maybe, 4 search heads or indexers)

But when i am running any query i am seeing more than 50 hosts.
probably, 50 hosts are the forwarders, that is correct. small/medium projects usually have around 50 forwarders.

Is it correct understanding that Number of Forwarders = Number of Hosts
Yes, to be more precisely,
Number of Forwarders = Number of Hosts Splunk monitors or gets the log files from.

and how to check the correct result ?
on the first answer, jbrocks updated 2 commands.

As you are a new user, you can upvote the answers, you can select an answer and "accept" it as the answer, so that this question will be moved to answered queue. Happy Splunking!

0 Karma

ramprakash
Explorer

I appreciated the answer but I don't have admin access to run these commands
I checked the architecture again and they are using 4 Universal forwarders. Is there any search query ? so that i can provide you the result.

0 Karma

gjanders
SplunkTrust
SplunkTrust
| tstats count where index=* groupby host

Might show you the hosts sending data in, it won't be exact but should give you an idea, if you use this version:

| tstats count where index=_* groupby host

You will see all the internal Splunk hosts by looking for internal logs...

0 Karma

jbrocks
Communicator

When you use a deployment server, you can list the deployment clients (servers/forwarders connected to this deployment server) on the command line with

splunk list deploy-clients
-> the type in your splunk user and password and you will get a list.

For simplicity you can do
splunk list deploy-clients | grep "dns"
-> which will only show the dns names of the listed deployment clients

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...