Getting Data In

How do I get a count of applications deployed to forwarders?

Explorer

The Deployment Server - (Settings -> Forwarder Management) shows Host Name, Client Name, Instance Name, IP Address, Actions, Machine Type, Deployed Apps, and Phone Home. I need to get a list of Hosts that have less than 5 Deployed Apps. I found this command which does this, but I only need the count and not the application names. Also, the Deployment server does not have an option to export the forwarder list.

| rest /services/deployment/server/clients splunk_server=local| table hostname applications*.stateOnClient | untable hostname applications value | eval applications=replace(applications,"applications\.(\w+)\.stateOnClient","\1") | stats values(applications) as applications by hostname
0 Karma
1 Solution

Legend

Hi rholm01,
you could run a search like the following to extract all the informations from Deployment Server:

| rest splunk_server=local /services/deployment/server/clients
| table hostname ip utsname *.restartSplunkd
| eval temp=hostname."#".ip."#".utsname 
| table temp *.restartSplunkd
| eval application.NoApp.restartSplunkd=0
| untable temp apps count 
| eval Apps=if(like(apps,"app%"),mvindex(split(apps,"."),1),null()) 
| eval ServerClass=if(like(apps,"server%"),mvindex(split(apps,"."),1),null() ) 
| rex field=temp "(?<Host>.*)#(?<Host_IP>.*)#(?<Machine_Type>.*)" 
| table Host Host_IP Machine_Type Apps ServerClass 
| stats Values(*) as * dc(Apps) AS dc_apps by Host Host_IP Machine_Type
| eval Apps=if(dc_apps=1,Apps,mvindex(Apps,1,10))
| nomv Apps
| nomv ServerClass
| fillnull value="NoSC" ServerClass

I configured this search as an alert on my Deployment Server and then at the end I put an outputcsv command to write results on a CSV file, then I read it with an input so I have this information on my Search Head and I can correlate it with the other information.

Bye.
Giuseppe

View solution in original post

Legend

Hi rholm01,
you could run a search like the following to extract all the informations from Deployment Server:

| rest splunk_server=local /services/deployment/server/clients
| table hostname ip utsname *.restartSplunkd
| eval temp=hostname."#".ip."#".utsname 
| table temp *.restartSplunkd
| eval application.NoApp.restartSplunkd=0
| untable temp apps count 
| eval Apps=if(like(apps,"app%"),mvindex(split(apps,"."),1),null()) 
| eval ServerClass=if(like(apps,"server%"),mvindex(split(apps,"."),1),null() ) 
| rex field=temp "(?<Host>.*)#(?<Host_IP>.*)#(?<Machine_Type>.*)" 
| table Host Host_IP Machine_Type Apps ServerClass 
| stats Values(*) as * dc(Apps) AS dc_apps by Host Host_IP Machine_Type
| eval Apps=if(dc_apps=1,Apps,mvindex(Apps,1,10))
| nomv Apps
| nomv ServerClass
| fillnull value="NoSC" ServerClass

I configured this search as an alert on my Deployment Server and then at the end I put an outputcsv command to write results on a CSV file, then I read it with an input so I have this information on my Search Head and I can correlate it with the other information.

Bye.
Giuseppe

View solution in original post

Contributor

Works like a champ!!!! Love this, thank you!!!

0 Karma

Communicator

Excellent! Runs straight out without any changes.

This gives you a table view listing each server, OS, Apps installed, and what Serverclass they belong to.
Not sure if it's possible, but it doesn't take into account if any server is 'Blacklist' in an App. THAT would be nice to know too.

Already saved it as a Report. Thank you.

0 Karma

SplunkTrust
SplunkTrust

Hi @rholm01,

Try below query

| rest /services/deployment/server/clients splunk_server=local| table hostname applications*.stateOnClient| untable hostname applications value | eval applications=replace(applications,"applications.(.*).stateOnClient","\1") | stats count by hostname

EDIT: Updated query.

Communicator

@harsmarvania57 - spot on search. Saweeet!

Run this on your Deployment Server.
I substituted the last lines 'hostname' and dropped in 'applications' and got a count of servers that have downloaded the Apps.

0 Karma

Explorer

Also, the Deployment Server - Forwarder Management does not sort on the Deployed Apps column.

0 Karma