- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to determine which inputs are configured in my...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Team,
I have recently joined a team and the old Splunk admin has left.
I am messed up determining the number of Universal Forwarders, Direct data pull input and the number of ways data is brought into Splunk environment. Is there any way in Splunk where I can directly know from where the Inputs are configured to get into Splunk?
Please suggest how can I read to get information about the inputs to the architecture.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're using Deployment server, then look at the $SPlunk_Home/etc/deployment-apps directory for apps which contains inputs.conf. From inputs.conf you can identify what all data inputs (files/script/database/eventlog/perfmon or anything else) that you're using in your environment to collect data. Then look at the serverclass.conf on the deployment server to see which app (which contains the inputs.conf) is deployed to which client/forwarder. Also check the inputs.conf on Indexers/Heavy forwarder to see if there are direct data inputs configured there (TCP/UDP etc).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you're using Deployment server, then look at the $SPlunk_Home/etc/deployment-apps directory for apps which contains inputs.conf. From inputs.conf you can identify what all data inputs (files/script/database/eventlog/perfmon or anything else) that you're using in your environment to collect data. Then look at the serverclass.conf on the deployment server to see which app (which contains the inputs.conf) is deployed to which client/forwarder. Also check the inputs.conf on Indexers/Heavy forwarder to see if there are direct data inputs configured there (TCP/UDP etc).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Look at the metadata command, over a given period it will show you what hosts are sending data to Splunk.
| metadata type=hosts index=*
| fields - firstTime,totalCount,type
| convert ctime(lastTime) ctime(recentTime)
| table host ageInSeconds lastTime recentTime
You can also use type=sourcetypes here and see relative sourcetypes.
See docs here : https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Metadata
Additionally, you can look at forwarder management on the DMC if you are using a more recent version and it will give you additional information such as topology and forwarder types coming in.
You can also look through _internal index and build from there..
Review this post: https://answers.splunk.com/answers/482475/how-to-determine-the-inputs-to-the-splunk-environm.html#an...
Detecting Remote Code Executions With the Splunk Threat Research Team
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
