Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is forwarder management data indexed?

chanfoli
Builder
‎07-15-2014 11:40 AM

Hello,

I want to be able to customize searches on the data in the forwarder management page. It would seem that client phone-home status is being cached somewhere like in an index but I can't find it. I would like to be able to have more flexible filtering on what I see and the ability to sort it.

Thanks,
Sean

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎07-15-2014 12:27 PM

Look in the _internal index. Here are some ideas to get you started...

Are apps being downloaded?

index=_internal component=DeployedApplication OR 
      component=PackageDownloadRestHandler  sourcetype=splunkd 
| table _time log_level host app message

Is the deployment client phoning home?

index=_internal (*phonehome* component=DC*) OR (component=DC:HandshakeReplyHandler)
| sort _time
| table _time host log_level message

Is the deployment server hearing the phone homes?

index=_internal metrics group=deploy-server sourcetype=splunkd 
| timechart span=2m avg(nReceived) by host
Reply

chanfoli
Builder
‎07-16-2014 11:20 AM

Yes. According to forwarder management page. Also apps have been deployed as expected.

0 Karma
Reply

lguinn2
Legend
‎07-16-2014 12:09 AM

Did the client actually phone home?

0 Karma
Reply

chanfoli
Builder
‎07-15-2014 06:24 PM

Thanks again L. Understood. In this case, we recently added 28 of our first windows clients we're mostly splunking Linux. I see most phoning home fine within minutes in the clients page, but it doesn't look like the phone home events actually end up in the clients' splunkd.logs, I see other events relating to watched file monitors etc but nothing with regards to phone-homes. I was trying to access the same data the forwarder management is using to tell me that x-client has phoned home in the past minute, I take it that this either not indexed or not accessible. Thanks, Sean.

0 Karma
Reply

lguinn2
Legend
‎07-15-2014 03:12 PM

By default, all the forwarders should be sending their splunkd.log files (and some others) to the splunk indexers - so you should be able to see things from the forwarder perspective as well as from the forwarder management server.

A search of

index=_internal sourcetype=splunkd | stats count by host

over the last hour should show many different hosts...

0 Karma
Reply

chanfoli
Builder
‎07-15-2014 01:52 PM

Thanks L. I was seeing some relevant events, but I am not finding anything on my deployment server in _internal which would correspond to the actual phone-home event and tie it to a client other than the splunkd_access logs which don't really have anything that useful or even easily extractable. I basically want to search and report similar to the "Clients" tab in forwarder management, but apply some more complex filters and sort the list. If it is not doable I understand.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...