Deployment Architecture

UF first deployed



Is it possible to see when a universal forwarder was first deployed or phonedhome?


0 Karma

Splunk Employee
Splunk Employee

The answer is... "It Depends".

So the next obvious question is "Why do you want to know?" Because that might get you a better answer than what follows... Can you elaborate?

There is data in the internal logs regarding the contact between the indexer and forwarder, but those logs roll and usually... that final rollout is to deletion. So it depends.

If this is a new-ish (the _internal index is set to roll every 30 days) then you can take a look here:

index=_internal source=*metrics.log* "fwdtype=*"

or if you are using a DS here:

index=_internal source=*metrics.log* phonehome

These give you the data available to you (although not the search, there are countless resources for searching those bits...).

the UF also has internal logs that most folks are forwarding to their indexer (but you fall under the same 30 day roll).

If you feel it's been phoning home since it was installed and you just want to know when... if it's never been upgraded you can check creation data of default config files in $SPLUNK_HOME/etc/system/default as those are dated at the last upgrade (or the initial install). mind you, this assumes you started it immediately, and that there isn't some overlying distribution system messing with the dates.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma


Awesome, thanks! I am putting together a few panels to see various things relating to agents deployed. So was just curious about this.

Is it possible to see a list of inactive UF's.. and why they are inactive?

0 Karma


You can only go back as far as you are retaining internal events, but index=_internal component=HttpPubSubConnection host=YOURSERVERNAME shows a basic event similar to this:

09-01-2016 12:44:34.840 -0400 INFO  HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_10.xx.xx.xx_8089_10.xx.xx.xx_YOURSERVERNAME_0A5F9875-1BA5-4317-B4A5-248C0C43E52D

connection_10.xx.xx.xx_8089_10.xx.xx.xx_YOURSERVERNAME will be the IP of the server (twice) and its name.

Now this shows the earliest and latest event in your time range: index=_internal component=HttpPubSubConnection host=PVADFS03 | stats earliest(_time) AS Earliest, latest(_time) AS Latest | eval FirstEvent=strftime(Earliest,"%+") | eval LastEvent=strftime(Latest,"%+") | fields - Earliest Latest

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...