Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Whats the best way to monitor deployment activity?

Lowell
Super Champion
‎04-30-2010 03:58 PM

Anyone know the best way to monitor deployment activity of a splunk server? I've found DeploymentMetrics coming from the deployment serer, and I see DeploymentClient and DeployedApplication messages being forwarded from my deployment clients.

There seem to be cases where I see deployments occuring on the clients (reported by DeployedApplication), but I don't see them in DeploymentMetrics. Has anyone else observed anything like that?

Anyone have any helpful deployment tracking searches they would like to share?

Here is the basis of my existing searches:

Search 1:

index="_internal" sourcetype="splunkd" source=*metrics.log Component="DeploymentMetrics"

Search 2:

index=_internal sourcetype=splunkd Component="DeployedApplication"

Update: Note. If your using Splunk 4.1, then you have to replace Component with component. (These kind of upgrade bugs really can take a lot of time to straighten out.)

0 Karma
Reply

oreoshake
Communicator
‎04-30-2010 06:02 PM

Similar searches

If you want to see apps that have been recently installed/updated

source="*splunkd.log" index=_internal "DeployedApplication - Checksum mismatch" OR "Installing" | rex "app: (?<app_name>\\w*)"

If you want to see which clients have "phoned home" for updates:

 source="/opt/splunk/var/log/splunk/splunkd_access.log" index=_internal /services/broker/phonehome | rex "/services/broker/phonehome/connection_[\\d|\\.]*_\\d*_(?<src>.*)_(?<client>.*)_" | dedup client

If you want to see your forwarders restarting (not directly related to the deployment, but still helpful)

source="*splunkd.log" index="_internal" ShutdownHandler punct="--_::.____-____._"

And this was helpful when my server classes overlapped and hosts were sending data to two indexers

source="*splunkd.log" index="_internal" "Connected to" | rex "Connected to (?<indexer>.*)" | stats count by host,indexer | stats count by host | search count>1
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...