Hello,
Is it possible to see when a universal forwarder was first deployed or phonedhome?
Thanks
The answer is... "It Depends".
So the next obvious question is "Why do you want to know?" Because that might get you a better answer than what follows... Can you elaborate?
There is data in the internal logs regarding the contact between the indexer and forwarder, but those logs roll and usually... that final rollout is to deletion. So it depends.
If this is a new-ish (the _internal index is set to roll every 30 days) then you can take a look here:
index=_internal source=*metrics.log* "fwdtype=*"
or if you are using a DS here:
index=_internal source=*metrics.log* phonehome
These give you the data available to you (although not the search, there are countless resources for searching those bits...).
the UF also has internal logs that most folks are forwarding to their indexer (but you fall under the same 30 day roll).
If you feel it's been phoning home since it was installed and you just want to know when... if it's never been upgraded you can check creation data of default config files in $SPLUNK_HOME/etc/system/default as those are dated at the last upgrade (or the initial install). mind you, this assumes you started it immediately, and that there isn't some overlying distribution system messing with the dates.
Awesome, thanks! I am putting together a few panels to see various things relating to agents deployed. So was just curious about this.
Is it possible to see a list of inactive UF's.. and why they are inactive?
You can only go back as far as you are retaining internal events, but index=_internal component=HttpPubSubConnection host=YOURSERVERNAME
shows a basic event similar to this:
09-01-2016 12:44:34.840 -0400 INFO HttpPubSubConnection - Running phone uri=/services/broker/phonehome/connection_10.xx.xx.xx_8089_10.xx.xx.xx_YOURSERVERNAME_0A5F9875-1BA5-4317-B4A5-248C0C43E52D
connection_10.xx.xx.xx_8089_10.xx.xx.xx_YOURSERVERNAME
will be the IP of the server (twice) and its name.
Now this shows the earliest and latest event in your time range: index=_internal component=HttpPubSubConnection host=PVADFS03 | stats earliest(_time) AS Earliest, latest(_time) AS Latest | eval FirstEvent=strftime(Earliest,"%+") | eval LastEvent=strftime(Latest,"%+") | fields - Earliest Latest