Getting Data In

How to get a list of all hosts installed with Universal Forwarder

Vetrikmr
New Member

I have a bunch of agents(hosts) in Appdynamics, I wanted to figure out that the Universal Forwarder is installed or not in all those hosts to collect logs to Splunk.
Is there any way that I can get the list of hosts that installed with UF.

Thanks in advance.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi Vetrikmr
if you want to find servers that sent logs to Indexers you can use the Monitor Console, in this way you have many additional information about them.
If instead you want to know Universal Forwarderd connected to a deployment Server you have to access it and go in [Settings -- Forwarders Management].

Bye.
Giuseppe

0 Karma

harsmarvania57
Ultra Champion

Hi,

You can run below query to find out which hosts are sending data to your splunk instance.

index="_internal" source="*metrics.log*" group=tcpin_connections | dedup hostname| table hostname,sourceIp,fwdType,guid,version,build,os,arch

If you want to find only universal forwarders then please use below query.

index="_internal" source="*metrics.lo*" group=tcpin_connections  fwdType=uf | dedup hostname| table hostname,sourceIp,fwdType,guid,version,build,os,arch

ninjaneer68
New Member

For your two queries, what would be a good way to get lastseen added to it ?

Trying to get a list of all forwarders and when splunk last saw the UF report back into splunk

Tags (1)
0 Karma

kairobin
Path Finder

Hello
This really sums it all up to me. 

index="_internal" source="*metrics.lo*" group=tcpin_connections fwdType=uf
| stats latest(_time) as lastSeen by hostname, sourceIp, fwdType, guid, version, build, os, arch
| eval lastSeenFormatted = strftime(lastSeen, "%Y-%m-%d %H:%M:%S")
| eval timeDifferenceSec = now() - lastSeen
| eval timeSinceLastSeen = tostring(floor(timeDifferenceSec / 3600)) . "h " . tostring(round((timeDifferenceSec % 3600) / 60)) . "m"
| table hostname, sourceIp, fwdType, guid, version, build, os, arch, lastSeenFormatted, timeSinceLastSeen
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...