Deployment Architecture

Is it possible to Identify splunk forwarder location ?

AKG1_old1
Builder

Hello,

we have plenty of forwarders install at different machine/folders. Is there any way to list out all forwarders location ?

I have tried below apps but no one provide location for forwarder, Just getting IP of forwarder Machine.

  1. Unified Forwarder Monitoring App for Splunk
    https://splunkbase.splunk.com/app/3805/

  2. Monitoring Console

Some Example location:
/net/hp754srv/hp754srv1/apps/ENV1/splunkforwarder1
/net/dell443srv/dell443srv3/apps/ENV2/splunkforwarder2
/net/dell153srv/dell153srv2/apps/ENV3/splunkforwarder3

Thanks

0 Karma
1 Solution

harsmarvania57
Ultra Champion

Hi @agoyal,

If forwarders are sending internal logs to splunk indexers then you can try below query.

index=_internal sourcetype=splunkd 
| stats count by source,host
| regex source="(?:\/|\x5c)splunkd\.log$"
| rex field=source "(?<installation_path>.*)(?:\/|\x5c)var(?:\/|\x5c)"

View solution in original post

0 Karma

harsmarvania57
Ultra Champion

Hi @agoyal,

If forwarders are sending internal logs to splunk indexers then you can try below query.

index=_internal sourcetype=splunkd 
| stats count by source,host
| regex source="(?:\/|\x5c)splunkd\.log$"
| rex field=source "(?<installation_path>.*)(?:\/|\x5c)var(?:\/|\x5c)"
0 Karma

inventsekar
SplunkTrust
SplunkTrust
  1. Not sure of what is the "location" here (physical location or some logical location)

Some Example location:
/net/hp754srv/hp754srv1/apps/ENV1/splunkforwarder1

  1. "If the forwarders are sending their internal logs"...... The forwarders will be sending their internal logs always, right?!?!
  2. On this command, why regex and rex both are used?!?! (I am not having access to any splunk systems, or i should have tested these myself)
0 Karma

harsmarvania57
Ultra Champion
  1. Location means on which path SplunkForwarder is installed on different servers irrrespective of whether it's physical or virtual machine.
  2. It depends, you can disable Splunk Universal Forwarder internal logging. For exa. If you are working on large environment like 20-30K Forwarders and if you do not want to ingest Forwarder internal logs then you can disable it.
  3. There are 2 approach either you can provide source=*splunkd.log in base search but I heard that wildcard ( * ) at starting is not good so I am using regex and rex in above query. regex filter out splunkd.log and rex command extract installation path.

AKG1_old1
Builder

@harsmarvania57 : Thanks!! it worked like a charm 🙂

0 Karma

harsmarvania57
Ultra Champion

You're welcome. Glad that it worked 🙂

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...