Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to Identify splunk forwarder location ?

AKG1_old1
Builder
‎07-22-2019 04:35 AM

Hello,

we have plenty of forwarders install at different machine/folders. Is there any way to list out all forwarders location ?

I have tried below apps but no one provide location for forwarder, Just getting IP of forwarder Machine.

  1. Unified Forwarder Monitoring App for Splunk
    https://splunkbase.splunk.com/app/3805/

  2. Monitoring Console

Some Example location:
/net/hp754srv/hp754srv1/apps/ENV1/splunkforwarder1
/net/dell443srv/dell443srv3/apps/ENV2/splunkforwarder2
/net/dell153srv/dell153srv2/apps/ENV3/splunkforwarder3

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎07-22-2019 04:56 AM

Hi @agoyal,

If forwarders are sending internal logs to splunk indexers then you can try below query.

index=_internal sourcetype=splunkd 
| stats count by source,host
| regex source="(?:\/|\x5c)splunkd\.log$"
| rex field=source "(?<installation_path>.*)(?:\/|\x5c)var(?:\/|\x5c)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎07-22-2019 04:56 AM

Hi @agoyal,

If forwarders are sending internal logs to splunk indexers then you can try below query.

index=_internal sourcetype=splunkd 
| stats count by source,host
| regex source="(?:\/|\x5c)splunkd\.log$"
| rex field=source "(?<installation_path>.*)(?:\/|\x5c)var(?:\/|\x5c)"
0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎07-23-2019 10:18 PM
  1. Not sure of what is the "location" here (physical location or some logical location)

Some Example location:
/net/hp754srv/hp754srv1/apps/ENV1/splunkforwarder1

  1. "If the forwarders are sending their internal logs"...... The forwarders will be sending their internal logs always, right?!?!
  2. On this command, why regex and rex both are used?!?! (I am not having access to any splunk systems, or i should have tested these myself)
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎07-24-2019 12:56 AM
  1. Location means on which path SplunkForwarder is installed on different servers irrrespective of whether it's physical or virtual machine.
  2. It depends, you can disable Splunk Universal Forwarder internal logging. For exa. If you are working on large environment like 20-30K Forwarders and if you do not want to ingest Forwarder internal logs then you can disable it.
  3. There are 2 approach either you can provide source=*splunkd.log in base search but I heard that wildcard ( * ) at starting is not good so I am using regex and rex in above query. regex filter out splunkd.log and rex command extract installation path.
Reply
Solved! Jump to solution

AKG1_old1
Builder
‎07-22-2019 05:13 AM

@harsmarvania57 : Thanks!! it worked like a charm 🙂

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎07-22-2019 05:14 AM

You're welcome. Glad that it worked 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...