Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to test that a forwarder is connected to an indexer?

a212830
Champion
‎08-07-2014 02:15 PM

Hi,

What's the best way to determine that a forwarder is connected to an indexer? I don't want to base it on the last time data was seen, as some of these are low volume and sporadic (but still important) feeds. Is there a way to test for each forwarder that was connected at least once, and run a search to test that that is now connected? Is there a heartbeat or check-in setting and/or messsage?

0 Karma
Reply

ddrillic
Ultra Champion
‎02-27-2018 04:57 PM

You can use the following - 

| inputlookup <host list> 
| fields host 
| join type=left host 
    [| metadata type=hosts index=* 
    | eval host=lower(host) 
    | eval _time=recentTime 
    | sort host, _time 
    | stats latest(_time) as recentTime by host ] 
| eval LAST=strftime(recentTime,"%a %m/%d/%Y-%T %Z(%z)"), DAYS_AGO=round((recentTime-now())/86400,0)

Where in the lookup you have the field host. You sort then by DAYS_AGO.

It would look like the following with the list of hosts -

alt text

0 Karma
Reply

FrankVl
Ultra Champion
‎02-28-2018 12:33 AM

host!=forwarder in many architectures, especially when collecting events from many hosts through a syslog server for instance, the host field will hold the name/ip of the original host, not that of the syslog server / forwarder.

And perhaps you intended to filter that using that lookup with the host list, but then still that will not work well given that it is stated in the question that the data sources can be very infrequent in some cases. And index=* will ignore internal indexes.

0 Karma
Reply

FrankVl
Ultra Champion
‎02-27-2018 05:58 AM

Forwarders also send their internal logs, which, even when the actual data inputs are very sparse, should still occur with a suitable frequency to establish whether they are still connected. But I guess the most straighforward way is looking at the metrics.log from your indexer, focusing on the tcpin_connections group:

index=_internal group="tcpin_connections" | stats latest(_time) by sourceHost

Which will give you the most recent connection from each forwarder.

Reply

ChrisG
Splunk Employee
Splunk Employee
‎08-07-2014 04:56 PM

One way is to install the Splunk Deployment Monitor app, which shows you information about forwarder status over time and warnings for forwarders that appear to be missing.

Reply

zsustar
New Member
‎02-26-2018 08:09 PM

Oops!
This app is currently not available....

how to use CLI to test?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...