Deployment Architecture

Report on Splunk Forwarders

steveirogers
Communicator

Is there a way to get a report of "All Forwarders" in Splunk. I am trying to get this information in a format that I can export to a spreadsheet (needed to verify that all our inventoried hosts are reporting to Splunk). I am using the Deployment App, but the best I can do is only see 50 entries per page and there is no "export" function. I tried some searches based on research of the doc and answers on the forum but to no avail. Any help would be appreciated.

How can I find what search the Deployment Monitor is using for this "All Forwarders" dashboard?

Tags (1)

lguinn2
Legend

Try one of these solutions - or install the Deployment Monitor app --

Deployment Monitor not displaying all forwarders

Listing forwarders

Search for active hosts

The above answers all relate to "are forwarders connecting to the Splunk indexer(s) and sending data?"

If your question is "are forwarders connecting to the Splunk deployment server?" that is different. Try this search:

search = index=_internal component=deploymentclient phonehome earliest=-30d
| eval today=if(relative_time(now(),"-24h@h")<_time,1,0)
| stats sum(today) as ConnectedLast24Hours count as ConnectedLast30Days by clientip

Or the same as above, but replace the search with

index=_internal sourcetype=splunkd group=ds_phonehomes*

Or a third option for the search:

index=_internal sourcetype=splunkd component=Metrics group=ds_connections*

Different versions of Splunk had different internal log formats, so you may need to try more than one of these to get the results you want.

steveirogers
Communicator

I tried the first sarch solution but it gave me 147 results. However, in the Deployment Monitor it shows 377 forwarders (which I think is correct). The other searches return zero results.
I probably did not explain clearly - I am using the Deployment Monitor and it shows the result I am interested in under "All Forwarders" but with a maximum of 50 per page. I am trying to get a report or search that shows all the Forwards in a single page or allows me to export the entire list. Thanks.

0 Karma

steveirogers
Communicator

lguinn, thanks for your prompt response. I will experiment with the various options and post my results. Thanks very much.

0 Karma

lguinn2
Legend

BTW, this will tell you which hosts have reported in - and can identify those that checked in in the past 30 days but not the last 24 hours.

However, if you want to have a list of "missing" hosts - you should consider setting up a lookup table that contains all the host names. Then it would be easy to run a report that says "give me a list of hosts that have never checked in with Splunk and those that have not recently checked in." Consider whether this lookup should be based on ip or host name...

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...