Hello,
we have plenty of forwarders install at different machine/folders. Is there any way to list out all forwarders location ?
I have tried below apps but no one provide location for forwarder, Just getting IP of forwarder Machine.
Unified Forwarder Monitoring App for Splunk
https://splunkbase.splunk.com/app/3805/
Monitoring Console
Some Example location:
/net/hp754srv/hp754srv1/apps/ENV1/splunkforwarder1
/net/dell443srv/dell443srv3/apps/ENV2/splunkforwarder2
/net/dell153srv/dell153srv2/apps/ENV3/splunkforwarder3
Thanks
Hi @agoyal,
If forwarders are sending internal logs to splunk indexers then you can try below query.
index=_internal sourcetype=splunkd
| stats count by source,host
| regex source="(?:\/|\x5c)splunkd\.log$"
| rex field=source "(?<installation_path>.*)(?:\/|\x5c)var(?:\/|\x5c)"
Hi @agoyal,
If forwarders are sending internal logs to splunk indexers then you can try below query.
index=_internal sourcetype=splunkd
| stats count by source,host
| regex source="(?:\/|\x5c)splunkd\.log$"
| rex field=source "(?<installation_path>.*)(?:\/|\x5c)var(?:\/|\x5c)"
Some Example location:
/net/hp754srv/hp754srv1/apps/ENV1/splunkforwarder1
source=*splunkd.log
in base search but I heard that wildcard ( *
) at starting is not good so I am using regex
and rex
in above query. regex
filter out splunkd.log
and rex
command extract installation path.@harsmarvania57 : Thanks!! it worked like a charm 🙂
You're welcome. Glad that it worked 🙂