Hello splunkr's,
I am trying to create a simple report that will show me all the clients that have the splunk forwarder installed on them. The current way I deduce this is via the Deployment Server by: Settings > fwdr mgmt > Clients tab > Shows a sum total of 268 clients. I then copy & paste the results into excel. Silly I know but I've been reading, trying, hacking, scheduling jobs but cannot get the equivalent info. Just keeping it simple.
All I want is the Search cmd I can run that reports the total # of clients and has the same type of info with columns of: Hostname | IP Address | Machine type | Deployed Apps
I would then like it stored in a CSV file so I can have import into excel.
Here are a few search cmds I been trying but they either run on forever, giving huge total counts of clients that is radically different from the Deployment svr UI report (we should been in the ball park of a few hundred clients).
Attempts:
1) * | top limit=0 host | sort host (Reports false hostnames, runs forever even with time range set, total count not true)
2) host=*|stats distinct_count(host) by host (Reports false hostnames, very slow to run)
3) * | dedup host | stats count by host | sort host (Reports false hostnames, runs forever even with time range set, total count not true)
All dead-on examples would be much appreciated.
cheers,
Damon
Try this to get a list of the hosts
index=_internal source=*metrics.log group=tcpin_connections
| eval sourceHost=if(isnull(hostname), sourceHost,hostname)
| eval connectionType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename arch as MachineType
| fields connectionType sourceIp sourceHost version MachineType
| dedup sourceIP
Getting a list of the deployed apps is not tricky, but it depends on the version of Splunk.
For Splunk 6, try this
index=_internal component=DeployedApplication OR component= PackageDownloadRestHandler sourcetype=splunkd | dedup host app | table host app
Put them together:
index=_internal source=*metrics.log group=tcpin_connections
| eval sourceHost=if(isnull(hostname), sourceHost,hostname)
| eval connectionType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename arch as MachineType
| fields connectionType sourceIp sourceHost version MachineType
| dedup sourceIP
| rename sourceHost as host
| join type=outer host [ search index=_internal component=DeployedApplication OR component= PackageDownloadRestHandler sourcetype=splunkd | dedup host app | table host app ]
Try this to get a list of the hosts
index=_internal source=*metrics.log group=tcpin_connections
| eval sourceHost=if(isnull(hostname), sourceHost,hostname)
| eval connectionType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename arch as MachineType
| fields connectionType sourceIp sourceHost version MachineType
| dedup sourceIP
Getting a list of the deployed apps is not tricky, but it depends on the version of Splunk.
For Splunk 6, try this
index=_internal component=DeployedApplication OR component= PackageDownloadRestHandler sourcetype=splunkd | dedup host app | table host app
Put them together:
index=_internal source=*metrics.log group=tcpin_connections
| eval sourceHost=if(isnull(hostname), sourceHost,hostname)
| eval connectionType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename arch as MachineType
| fields connectionType sourceIp sourceHost version MachineType
| dedup sourceIP
| rename sourceHost as host
| join type=outer host [ search index=_internal component=DeployedApplication OR component= PackageDownloadRestHandler sourcetype=splunkd | dedup host app | table host app ]
Made minor updates of the answer to show forwarder types for all clients and make a table:
index=_internal source=metrics.log group=tcpin_connections fwdType= | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | eval connectionType=case(fwdType=="univ*","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder") | eval version=if(isnull(version),"pre 4.2",version) | rename arch as MachineType | dedup sourceIp | table connectionType,sourceIp,sourceHost,version,MachineType
Sorry about that - I managed to cut and paste more than I intended for the second search.
What time range are you running for the first search?
Thanks for the quick response and multiple options and exactness.
I am running splunk V6 Enterprise.
The 1st option did not work for me at all: just kept churning but no results.
The 2nd option produced results but I got over 10,000 entries. Actual should be around 270 hosts.
The 3rd option (combined) did not run at all like #1. churns & no results
Still stuck.
I find that allot ... people with good intentions providing query's (that I'm gratefull saves allot of time) but many don't work..