Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get a list of all hosts installed with Universal Forwarder

Vetrikmr
New Member
‎11-16-2017 09:34 PM

I have a bunch of agents(hosts) in Appdynamics, I wanted to figure out that the Universal Forwarder is installed or not in all those hosts to collect logs to Splunk.
Is there any way that I can get the list of hosts that installed with UF.

Thanks in advance.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-17-2017 01:39 AM

Hi Vetrikmr
if you want to find servers that sent logs to Indexers you can use the Monitor Console, in this way you have many additional information about them.
If instead you want to know Universal Forwarderd connected to a deployment Server you have to access it and go in [Settings -- Forwarders Management].

Bye.
Giuseppe

0 Karma
Reply

harsmarvania57
Ultra Champion
‎11-17-2017 12:30 AM

Hi,

You can run below query to find out which hosts are sending data to your splunk instance.

index="_internal" source="*metrics.log*" group=tcpin_connections | dedup hostname| table hostname,sourceIp,fwdType,guid,version,build,os,arch

If you want to find only universal forwarders then please use below query.

index="_internal" source="*metrics.lo*" group=tcpin_connections  fwdType=uf | dedup hostname| table hostname,sourceIp,fwdType,guid,version,build,os,arch
Reply

ninjaneer68
New Member
‎08-18-2020 02:39 PM

For your two queries, what would be a good way to get lastseen added to it ?

Trying to get a list of all forwarders and when splunk last saw the UF report back into splunk

Tags (1)
0 Karma
Reply

kairobin
Path Finder
‎10-30-2024 02:13 AM

Hello
This really sums it all up to me. 

index="_internal" source="*metrics.lo*" group=tcpin_connections fwdType=uf
| stats latest(_time) as lastSeen by hostname, sourceIp, fwdType, guid, version, build, os, arch
| eval lastSeenFormatted = strftime(lastSeen, "%Y-%m-%d %H:%M:%S")
| eval timeDifferenceSec = now() - lastSeen
| eval timeSinceLastSeen = tostring(floor(timeDifferenceSec / 3600)) . "h " . tostring(round((timeDifferenceSec % 3600) / 60)) . "m"
| table hostname, sourceIp, fwdType, guid, version, build, os, arch, lastSeenFormatted, timeSinceLastSeen
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...