Getting Data In

Is there a way to get a list of heavy forwarders via rest?



Is there a way to get a list of heavy forwarders via REST? We are creating our own HFW health page, since the DMC doesn't support it.

0 Karma

Super Champion
0 Karma


You could try this if all of your heavies follow a consistent naming convention:
| rest splunk_server=*hf* /services/server/introspection/indexer

Or this if you define a custom group:

| rest splunk_server_group=* splunk_server_group=* /services/search/distributed/peers 
| search search_groups=dmc_customgroup_Heavy_Forwarder
| table search_groups, server_roles, host
0 Karma


Do you need to use REST?

 index=_internal source=*metrics.log group=tcpin_connections 
 | eval sourceHost=if(isnull(hostname), sourceHost,hostname) 
 | rename connectionType as connectType
 | eval connectType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder")
 | eval version=if(isnull(version),"pre 4.2",version)
 | rename version as Ver 
 | fields connectType sourceIp sourceHost destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server Ver
 | eval Indexer= splunk_server
 | eval Hour=relative_time(_time,"@h")
 | stats avg(tcp_KBps) sum(tcp_eps) sum(tcp_Kprocessed) sum(kb) by Hour connectType sourceIp sourceHost destPort Indexer Ver
 | fieldformat Hour=strftime(Hour,"%x %H")

Ultra Champion

I think this might be the best answer right now since I'm not confident that the Monitoring Console's server roles are exposed for filtering...

0 Karma


Change your first line to this: index=_internal source=*metrics.log group=tcpin_connections fwdType="full"

If you don't specify fwdType="full" you will get all the universal forwarders listed too.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!