Getting Data In

Create report listing all clients

damonmanni
Path Finder

Hello splunkr's,

I am trying to create a simple report that will show me all the clients that have the splunk forwarder installed on them. The current way I deduce this is via the Deployment Server by: Settings > fwdr mgmt > Clients tab > Shows a sum total of 268 clients. I then copy & paste the results into excel. Silly I know but I've been reading, trying, hacking, scheduling jobs but cannot get the equivalent info. Just keeping it simple.

All I want is the Search cmd I can run that reports the total # of clients and has the same type of info with columns of: Hostname | IP Address | Machine type | Deployed Apps

I would then like it stored in a CSV file so I can have import into excel.

Here are a few search cmds I been trying but they either run on forever, giving huge total counts of clients that is radically different from the Deployment svr UI report (we should been in the ball park of a few hundred clients).

Attempts:
1) * | top limit=0 host | sort host (Reports false hostnames, runs forever even with time range set, total count not true)

2) host=*|stats distinct_count(host) by host (Reports false hostnames, very slow to run)

3) * | dedup host | stats count by host | sort host (Reports false hostnames, runs forever even with time range set, total count not true)

All dead-on examples would be much appreciated.

cheers,
Damon

0 Karma
1 Solution

lguinn2
Legend

Try this to get a list of the hosts

index=_internal source=*metrics.log group=tcpin_connections 
| eval sourceHost=if(isnull(hostname), sourceHost,hostname) 
| eval connectionType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename  arch as MachineType
| fields connectionType sourceIp sourceHost  version MachineType
| dedup sourceIP

Getting a list of the deployed apps is not tricky, but it depends on the version of Splunk.
For Splunk 6, try this

index=_internal component=DeployedApplication OR component= PackageDownloadRestHandler  sourcetype=splunkd | dedup host app | table host app

Put them together:

index=_internal source=*metrics.log group=tcpin_connections 
| eval sourceHost=if(isnull(hostname), sourceHost,hostname) 
| eval connectionType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename  arch as MachineType
| fields connectionType sourceIp sourceHost  version MachineType
| dedup sourceIP
| rename sourceHost as host
| join type=outer host [ search index=_internal component=DeployedApplication OR component= PackageDownloadRestHandler  sourcetype=splunkd | dedup host app | table host app ]

View solution in original post

lguinn2
Legend

Try this to get a list of the hosts

index=_internal source=*metrics.log group=tcpin_connections 
| eval sourceHost=if(isnull(hostname), sourceHost,hostname) 
| eval connectionType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename  arch as MachineType
| fields connectionType sourceIp sourceHost  version MachineType
| dedup sourceIP

Getting a list of the deployed apps is not tricky, but it depends on the version of Splunk.
For Splunk 6, try this

index=_internal component=DeployedApplication OR component= PackageDownloadRestHandler  sourcetype=splunkd | dedup host app | table host app

Put them together:

index=_internal source=*metrics.log group=tcpin_connections 
| eval sourceHost=if(isnull(hostname), sourceHost,hostname) 
| eval connectionType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename  arch as MachineType
| fields connectionType sourceIp sourceHost  version MachineType
| dedup sourceIP
| rename sourceHost as host
| join type=outer host [ search index=_internal component=DeployedApplication OR component= PackageDownloadRestHandler  sourcetype=splunkd | dedup host app | table host app ]

yunkwang
Engager

Made minor updates of the answer to show forwarder types for all clients and make a table:

index=_internal source=metrics.log group=tcpin_connections fwdType= | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | eval connectionType=case(fwdType=="univ*","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk fwder", connectionType=="raw" or connectionType=="rawSSL","legacy fwder") | eval version=if(isnull(version),"pre 4.2",version) | rename arch as MachineType | dedup sourceIp | table connectionType,sourceIp,sourceHost,version,MachineType

0 Karma

lguinn2
Legend

Sorry about that - I managed to cut and paste more than I intended for the second search.

What time range are you running for the first search?

0 Karma

damonmanni
Path Finder

Thanks for the quick response and multiple options and exactness.

I am running splunk V6 Enterprise.

The 1st option did not work for me at all: just kept churning but no results.

The 2nd option produced results but I got over 10,000 entries. Actual should be around 270 hosts.

The 3rd option (combined) did not run at all like #1. churns & no results

Still stuck.

0 Karma

mendesjo
Path Finder

I find that allot ... people with good intentions providing query's (that I'm gratefull saves allot of time) but many don't work..

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...