Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get a list of all hosts installed with Universal Forwarder

Vetrikmr
New Member
‎11-16-2017 09:34 PM

I have a bunch of agents(hosts) in Appdynamics, I wanted to figure out that the Universal Forwarder is installed or not in all those hosts to collect logs to Splunk.
Is there any way that I can get the list of hosts that installed with UF.

Thanks in advance.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-17-2017 01:39 AM

Hi Vetrikmr
if you want to find servers that sent logs to Indexers you can use the Monitor Console, in this way you have many additional information about them.
If instead you want to know Universal Forwarderd connected to a deployment Server you have to access it and go in [Settings -- Forwarders Management].

Bye.
Giuseppe

0 Karma
Reply

harsmarvania57
Ultra Champion
‎11-17-2017 12:30 AM

Hi,

You can run below query to find out which hosts are sending data to your splunk instance.

index="_internal" source="*metrics.log*" group=tcpin_connections | dedup hostname| table hostname,sourceIp,fwdType,guid,version,build,os,arch

If you want to find only universal forwarders then please use below query.

index="_internal" source="*metrics.lo*" group=tcpin_connections  fwdType=uf | dedup hostname| table hostname,sourceIp,fwdType,guid,version,build,os,arch
Reply

ninjaneer68
New Member
‎08-18-2020 02:39 PM

For your two queries, what would be a good way to get lastseen added to it ?

Trying to get a list of all forwarders and when splunk last saw the UF report back into splunk

Tags (1)
0 Karma
Reply

kairobin
Path Finder
‎10-30-2024 02:13 AM

Hello
This really sums it all up to me. 

index="_internal" source="*metrics.lo*" group=tcpin_connections fwdType=uf
| stats latest(_time) as lastSeen by hostname, sourceIp, fwdType, guid, version, build, os, arch
| eval lastSeenFormatted = strftime(lastSeen, "%Y-%m-%d %H:%M:%S")
| eval timeDifferenceSec = now() - lastSeen
| eval timeSinceLastSeen = tostring(floor(timeDifferenceSec / 3600)) . "h " . tostring(round((timeDifferenceSec % 3600) / 60)) . "m"
| table hostname, sourceIp, fwdType, guid, version, build, os, arch, lastSeenFormatted, timeSinceLastSeen
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top