- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Is there a search to centrally list what my univer...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know that I can use curl to query the API
curl -k -u admin:pass https://localhost:8089/services/data/inputs/monitor
but is there a way to get such information directly from search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used PowerShell to loop through a list of my servers and run "splunk list monitor -auth admin:xxxxxxx" on all of them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could install this app https://splunkbase.splunk.com/app/2775/
and then do this search:
| metadata type=hosts index=_internal| fields host | forwarderquerystreaming api="/services/data/inputs/monitor" | spath input=returnvalue | fields host,feed.entry.title
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used PowerShell to loop through a list of my servers and run "splunk list monitor -auth admin:xxxxxxx" on all of them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The search heads and indexers have no information about the actual configuration (inputs.conf, etc.) of a forwarder. At most, you can search to see what data has arrived and how much has been sent by each forwarder - but you can't search to see what has been configured.
You could query the API of the forwarder - replace localhost:8089 with the name and splunkd port number of the forwarder. For example, if the forwarder is 10.10.4.204 and splunkd is running on port 8089 -
| rest https://10.10.4.204:8089 /services/data/inputs/monitor
You may have to do a rest command to authenticate with the forwarder before this will work...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I already tried various combinations of REST...
| rest https://master_1:8089/services/data/inputs/monitor | table host
| rest https://peer_1:8089/services/data/inputs/monitor | table host
| rest https://peer_2:8089/services/data/inputs/monitor | table host
| rest https://uf_1:8089/services/data/inputs/monitor | table host
but they all return the exact same data....
host title
peer_1 $SPLUNK_HOME\/etc\/splunk.version
peer_1 $SPLUNK_HOME\/var\/log\/introspection
peer_1 $SPLUNK_HOME\/var\/log\s/plunk
peer_1 $SPLUNK_HOME\/var\/spool\/splunk
peer_1 $SPLUNK_HOME\/var\/spool\/splunk./..stash_new
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
BTW, I tried the following, but it returned results about one of the indexers and nothing at all about a UF.
| rest /services/data/inputs/monitor | table host, title, index
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
