Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to determine if forwarder is phoning home to deployment server

dolfantimmy
Path Finder
‎01-13-2015 10:00 AM

What is the easiest way to determine if a specific forwarder is phoning home to the deployment server?

Reply

anakor
Engager
‎07-23-2019 12:35 AM

How to check the list of Universal Forwarders in the CLI of the Deployment Server? (Splunk versions 6/7)

0 Karma
Reply

lguinn2
Legend
‎01-13-2015 10:31 AM

I like @chanfoli's answer, but you can also do this:

Splunk 6: Is the deployment client phoning home?

index=_internal (*phonehome* component=DC*) OR (component=DC:HandshakeReplyHandler) host=hostname
| sort _time
| table _time host log_level message

In Splunk 5, the Splunk internal log format was a bit different. You could also use a similar search to identify clients that were phoning home yesterday, but have not phoned home today:

index=_internal (*phonehome* component=DC*) OR (component=DC:HandshakeReplyHandler) earliest=-2d
| eval Day=if(_time>(now()-86400),"Today","Yesterday")
| chart count by host day
| where Yesterday>0 AND Today<0
Reply

chanfoli
Builder
‎01-13-2015 10:16 AM

Via splunk web on the deployment server. Go to settings->forwarder management, select the clients and type in part of the hostname in the filter text box. If it is phoning home it should show up there with app count and time since last phone-home.

Reply

dolfantimmy
Path Finder
‎01-13-2015 10:27 AM

Thank you for your response. However, when on the web ui on the deployment server, I see no "settings->forwarder management"

0 Karma
Reply

dolfantimmy
Path Finder
‎01-13-2015 10:27 AM

I should note, this is version 5.0.1

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...