Getting Data In

How to list inactive forwarders in Splunk search


Im tring to come up with a way of listing all my forwarders (on or off) in a list and display whether they are active or inactive.

There is no guarentee that they will be turned on after a certain amount of time. I would prefer a solution where I don't have to search through all time just to get all the host names in a list.

I know that if I were to run the search over all time, I would do something with:
index=* host=* | dedup host
and then look for the last log instance and see if its discussing the shutdown procedure and status. - But this is very costly.

Surely Splunk has something built in that remembers what forwarders have connected in the past or something?

I have UF's on both windows and Linux machines.

Thanks in advance

0 Karma


hello there,

hope i understand your question / requirement.
try the | metadata command
elaborated article and examples here:

hope it helps

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!