Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a search to centrally list what my universal forwarders are monitoring?

lycollicott
Motivator
‎08-11-2015 06:49 AM

I know that I can use curl to query the API 

curl -k -u admin:pass https://localhost:8089/services/data/inputs/monitor

but is there a way to get such information directly from search?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lycollicott
Motivator
‎09-30-2015 12:23 PM

I used PowerShell to loop through a list of my servers and run "splunk list monitor -auth admin:xxxxxxx" on all of them.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dominiquevocat
SplunkTrust
SplunkTrust
‎06-28-2017 01:54 AM

You could install this app https://splunkbase.splunk.com/app/2775/
and then do this search:
| metadata type=hosts index=_internal| fields host | forwarderquerystreaming api="/services/data/inputs/monitor" | spath input=returnvalue | fields host,feed.entry.title

Reply
Solved! Jump to solution
Solution

lycollicott
Motivator
‎09-30-2015 12:23 PM

I used PowerShell to loop through a list of my servers and run "splunk list monitor -auth admin:xxxxxxx" on all of them.

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎08-11-2015 08:47 AM

The search heads and indexers have no information about the actual configuration (inputs.conf, etc.) of a forwarder. At most, you can search to see what data has arrived and how much has been sent by each forwarder - but you can't search to see what has been configured.

You could query the API of the forwarder - replace localhost:8089 with the name and splunkd port number of the forwarder. For example, if the forwarder is 10.10.4.204 and splunkd is running on port 8089 -

| rest https://10.10.4.204:8089 /services/data/inputs/monitor

You may have to do a rest command to authenticate with the forwarder before this will work...

Reply
Solved! Jump to solution

lycollicott
Motivator
‎08-12-2015 07:42 AM

I already tried various combinations of REST...

| rest https://master_1:8089/services/data/inputs/monitor | table host
| rest https://peer_1:8089/services/data/inputs/monitor | table host
| rest https://peer_2:8089/services/data/inputs/monitor | table host
| rest https://uf_1:8089/services/data/inputs/monitor | table host

but they all return the exact same data....

host title

peer_1 $SPLUNK_HOME\/etc\/splunk.version

peer_1 $SPLUNK_HOME\/var\/log\/introspection

peer_1 $SPLUNK_HOME\/var\/log\s/plunk

peer_1 $SPLUNK_HOME\/var\/spool\/splunk

peer_1 $SPLUNK_HOME\/var\/spool\/splunk./..stash_new

Reply
Solved! Jump to solution

lycollicott
Motivator
‎08-11-2015 06:59 AM

BTW, I tried the following, but it returned results about one of the indexers and nothing at all about a UF.

| rest /services/data/inputs/monitor | table host, title, index

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...