The Deployment Server - (Settings -> Forwarder Management) shows Host Name, Client Name, Instance Name, IP Address, Actions, Machine Type, Deployed Apps, and Phone Home. I need to get a list of Hosts that have less than 5 Deployed Apps. I found this command which does this, but I only need the count and not the application names. Also, the Deployment server does not have an option to export the forwarder list.
| rest /services/deployment/server/clients splunk_server=local| table hostname applications*.stateOnClient | untable hostname applications value | eval applications=replace(applications,"applications\.(\w+)\.stateOnClient","\1") | stats values(applications) as applications by hostname
Hi rholm01,
you could run a search like the following to extract all the informations from Deployment Server:
| rest splunk_server=local /services/deployment/server/clients
| table hostname ip utsname *.restartSplunkd
| eval temp=hostname."#".ip."#".utsname
| table temp *.restartSplunkd
| eval application.NoApp.restartSplunkd=0
| untable temp apps count
| eval Apps=if(like(apps,"app%"),mvindex(split(apps,"."),1),null())
| eval ServerClass=if(like(apps,"server%"),mvindex(split(apps,"."),1),null() )
| rex field=temp "(?<Host>.*)#(?<Host_IP>.*)#(?<Machine_Type>.*)"
| table Host Host_IP Machine_Type Apps ServerClass
| stats Values(*) as * dc(Apps) AS dc_apps by Host Host_IP Machine_Type
| eval Apps=if(dc_apps=1,Apps,mvindex(Apps,1,10))
| nomv Apps
| nomv ServerClass
| fillnull value="NoSC" ServerClass
I configured this search as an alert on my Deployment Server and then at the end I put an outputcsv command to write results on a CSV file, then I read it with an input so I have this information on my Search Head and I can correlate it with the other information.
Bye.
Giuseppe
Hi rholm01,
you could run a search like the following to extract all the informations from Deployment Server:
| rest splunk_server=local /services/deployment/server/clients
| table hostname ip utsname *.restartSplunkd
| eval temp=hostname."#".ip."#".utsname
| table temp *.restartSplunkd
| eval application.NoApp.restartSplunkd=0
| untable temp apps count
| eval Apps=if(like(apps,"app%"),mvindex(split(apps,"."),1),null())
| eval ServerClass=if(like(apps,"server%"),mvindex(split(apps,"."),1),null() )
| rex field=temp "(?<Host>.*)#(?<Host_IP>.*)#(?<Machine_Type>.*)"
| table Host Host_IP Machine_Type Apps ServerClass
| stats Values(*) as * dc(Apps) AS dc_apps by Host Host_IP Machine_Type
| eval Apps=if(dc_apps=1,Apps,mvindex(Apps,1,10))
| nomv Apps
| nomv ServerClass
| fillnull value="NoSC" ServerClass
I configured this search as an alert on my Deployment Server and then at the end I put an outputcsv command to write results on a CSV file, then I read it with an input so I have this information on my Search Head and I can correlate it with the other information.
Bye.
Giuseppe
@rholm01 Excellent, but along with this if you can add "last logs reported time for each host" then it will be excellent, because sometime host will report to deployment servers but will not send any logs...
Works like a champ!!!! Love this, thank you!!!
Excellent! Runs straight out without any changes.
This gives you a table view listing each server, OS, Apps installed, and what Serverclass they belong to.
Not sure if it's possible, but it doesn't take into account if any server is 'Blacklist' in an App. THAT would be nice to know too.
Already saved it as a Report. Thank you.
Hi @rholm01,
Try below query
| rest /services/deployment/server/clients splunk_server=local| table hostname applications*.stateOnClient| untable hostname applications value | eval applications=replace(applications,"applications.(.*).stateOnClient","\1") | stats count by hostname
EDIT: Updated query.
@harsmarvania57 - spot on search. Saweeet!
Run this on your Deployment Server.
I substituted the last lines 'hostname' and dropped in 'applications' and got a count of servers that have downloaded the Apps.
Also, the Deployment Server - Forwarder Management does not sort on the Deployed Apps column.