Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get a list of all hosts installed with Universal Forwarder

Vetrikmr
New Member
‎11-16-2017 09:34 PM

I have a bunch of agents(hosts) in Appdynamics, I wanted to figure out that the Universal Forwarder is installed or not in all those hosts to collect logs to Splunk.
Is there any way that I can get the list of hosts that installed with UF.

Thanks in advance.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-17-2017 01:39 AM

Hi Vetrikmr
if you want to find servers that sent logs to Indexers you can use the Monitor Console, in this way you have many additional information about them.
If instead you want to know Universal Forwarderd connected to a deployment Server you have to access it and go in [Settings -- Forwarders Management].

Bye.
Giuseppe

0 Karma
Reply

harsmarvania57
Ultra Champion
‎11-17-2017 12:30 AM

Hi,

You can run below query to find out which hosts are sending data to your splunk instance.

index="_internal" source="*metrics.log*" group=tcpin_connections | dedup hostname| table hostname,sourceIp,fwdType,guid,version,build,os,arch

If you want to find only universal forwarders then please use below query.

index="_internal" source="*metrics.lo*" group=tcpin_connections  fwdType=uf | dedup hostname| table hostname,sourceIp,fwdType,guid,version,build,os,arch
Reply

ninjaneer68
New Member
‎08-18-2020 02:39 PM

For your two queries, what would be a good way to get lastseen added to it ?

Trying to get a list of all forwarders and when splunk last saw the UF report back into splunk

Tags (1)
0 Karma
Reply

kairobin
Path Finder
‎10-30-2024 02:13 AM

Hello
This really sums it all up to me. 

index="_internal" source="*metrics.lo*" group=tcpin_connections fwdType=uf
| stats latest(_time) as lastSeen by hostname, sourceIp, fwdType, guid, version, build, os, arch
| eval lastSeenFormatted = strftime(lastSeen, "%Y-%m-%d %H:%M:%S")
| eval timeDifferenceSec = now() - lastSeen
| eval timeSinceLastSeen = tostring(floor(timeDifferenceSec / 3600)) . "h " . tostring(round((timeDifferenceSec % 3600) / 60)) . "m"
| table hostname, sourceIp, fwdType, guid, version, build, os, arch, lastSeenFormatted, timeSinceLastSeen
0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...