Deployment Architecture

Report on Splunk Forwarders


Is there a way to get a report of "All Forwarders" in Splunk. I am trying to get this information in a format that I can export to a spreadsheet (needed to verify that all our inventoried hosts are reporting to Splunk). I am using the Deployment App, but the best I can do is only see 50 entries per page and there is no "export" function. I tried some searches based on research of the doc and answers on the forum but to no avail. Any help would be appreciated.

How can I find what search the Deployment Monitor is using for this "All Forwarders" dashboard?

Tags (1)


Try one of these solutions - or install the Deployment Monitor app --

Deployment Monitor not displaying all forwarders

Listing forwarders

Search for active hosts

The above answers all relate to "are forwarders connecting to the Splunk indexer(s) and sending data?"

If your question is "are forwarders connecting to the Splunk deployment server?" that is different. Try this search:

search = index=_internal component=deploymentclient phonehome earliest=-30d
| eval today=if(relative_time(now(),"-24h@h")<_time,1,0)
| stats sum(today) as ConnectedLast24Hours count as ConnectedLast30Days by clientip

Or the same as above, but replace the search with

index=_internal sourcetype=splunkd group=ds_phonehomes*

Or a third option for the search:

index=_internal sourcetype=splunkd component=Metrics group=ds_connections*

Different versions of Splunk had different internal log formats, so you may need to try more than one of these to get the results you want.


I tried the first sarch solution but it gave me 147 results. However, in the Deployment Monitor it shows 377 forwarders (which I think is correct). The other searches return zero results.
I probably did not explain clearly - I am using the Deployment Monitor and it shows the result I am interested in under "All Forwarders" but with a maximum of 50 per page. I am trying to get a report or search that shows all the Forwards in a single page or allows me to export the entire list. Thanks.

0 Karma


lguinn, thanks for your prompt response. I will experiment with the various options and post my results. Thanks very much.

0 Karma


BTW, this will tell you which hosts have reported in - and can identify those that checked in in the past 30 days but not the last 24 hours.

However, if you want to have a list of "missing" hosts - you should consider setting up a lookup table that contains all the host names. Then it would be easy to run a report that says "give me a list of hosts that have never checked in with Splunk and those that have not recently checked in." Consider whether this lookup should be based on ip or host name...

0 Karma
Get Updates on the Splunk Community!

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...