Solved: List of indexer and list of indexes for each index...

kagamalai · ‎06-03-2021

In the distributor environment how do i pull the report for List of indexer and list of indexes for each indexer - not system created

aasabatini · ‎06-03-2021

Hi @kagamalai

you need to combine the following searches the first one is for the uf per indexer

index=_internal sourcetype=splunkd destPort!="-"| stats sparkline count by hostname, sourceHost, host, destPort, version | rename destPort as "Destination Port" | rename host as "Indexer" | rename sourceHost as "Universal Forwarder IP" | rename version as "Splunk Forwarder Version" | rename hostname as "Universal Forwarder Host Name" | rename sparkline as "Traffic Frequency" | sort 0 - count

the second one is the confs per indexer

| rest /services/data/inputs/all
| search index!=_*
| stats values(sourcetype)  values(index) values(source) by splunk_server

if this message help please confirm the solution or share karma points

Regards

Alessandro

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

aasabatini · ‎06-03-2021

Hi @kagamalai

try this

|dbinspect index=* | search index!=_* | chart dc(bucketId) over splunk_server by index

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

kagamalai · ‎06-03-2021

Thanks its working but coming complete index which we created.

Can you please give me the solution for in the distributed environment if we search based on indexer name we want the output like index name, reported source,source type, no of UF or host

aasabatini · ‎06-03-2021

Hi @kagamalai

this search works on indexes sourcetypes and sources by the splunk server

| rest /services/data/inputs/all
| search index!=_*
| stats values(sourcetype)  values(index) values(source) by splunk_server

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

kagamalai · ‎06-03-2021

Thanks Nice output, can you possible to add no of host reporting each splunk server ?

aasabatini · ‎06-03-2021

Hi @kagamalai

you need to combine the following searches the first one is for the uf per indexer

index=_internal sourcetype=splunkd destPort!="-"| stats sparkline count by hostname, sourceHost, host, destPort, version | rename destPort as "Destination Port" | rename host as "Indexer" | rename sourceHost as "Universal Forwarder IP" | rename version as "Splunk Forwarder Version" | rename hostname as "Universal Forwarder Host Name" | rename sparkline as "Traffic Frequency" | sort 0 - count

the second one is the confs per indexer

| rest /services/data/inputs/all
| search index!=_*
| stats values(sourcetype)  values(index) values(source) by splunk_server

if this message help please confirm the solution or share karma points

Regards

Alessandro

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

kagamalai · ‎06-04-2021

Thank you its working fine

I am running the below query from search head and getting result total host OS type wise from all the indexer for example 20

index=_internal fwdType="*"|dedup sourceHost| table sourceHost, os |stats count by os

I want to give the indexer name as input ( Indexer name ABCD001) and get the result only that indexer total no of host os type wise

can you please alter it

aasabatini · ‎06-04-2021

Hi @kagamalai

to help you better I created a dashboard with your request

<form>
  <label>indexer-analysis</label>
  <fieldset submitButton="true" autoRun="true">
    <input type="dropdown" token="field1">
      <label>Indexers</label>
      <fieldForLabel>indexer</fieldForLabel>
      <fieldForValue>indexer</fieldForValue>
      <search>
        <query>index=_internal| stats  values(splunk_server) as indexer by splunk_server | table indexer</query>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </search>
    </input>
    <input type="time" token="field2">
      <label>timerange</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd destPort!="-" splunk_server=$field1$ | stats sparkline count by hostname, sourceHost, host, destPort, version | rename destPort as "Destination Port" | rename host as "Indexer" | rename sourceHost as "Universal Forwarder IP" | rename version as "Splunk Forwarder Version" | rename hostname as "Universal Forwarder Host Name" | rename sparkline as "Traffic Frequency" | sort 0 - count</query>
          <earliest>$field2.earliest$</earliest>
          <latest>$field2.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <search>
          <query>| rest /services/data/inputs/all
| search index!=_* splunk_server=$field1$
| stats values(sourcetype)  values(index) values(source) by splunk_server</query>
          <earliest>$field2.earliest$</earliest>
          <latest>$field2.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

you need only to copy and paste

if help karma points are appreciated

Alessandro

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

kagamalai · ‎06-04-2021

Thank you very much, I could see the list UF details but total no of host ( UF) not showing possible to add.

Thanks in advance.

List of indexer and list of indexes for each indexer

indexer

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...