Solved: path or logfiles location for 1500 servers

Mukunda7 · ‎10-04-2021

Hey,

We have some 1500 servers where splunk forwarders installed. we need the path to find location of data or logs coming from these servers. Is there a simple way to do that?

gcusello · ‎10-04-2021

Hi @Mukunda7,

actually, i wanted to answer you in this fid way right away, but i forgot to edit the answer,

to have only the path,

you could use this search for windows servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\\\.+$"
| stats values(log_path) AS log_path count BY host

and for Linux servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\/.+$"
| stats values(log_path) AS log_path count BY host

if you want all the source files, you could use this search both for Windows and Linux:

| metasearch index=*
| stats values(source) AS source count BY host

Ciao.

Giuseppe

View solution in original post

Mukunda7 · ‎10-04-2021

@gcusello

thanks but the path we are getting here is of forwarders path or path of logs,file types we configured to send to splunk ? please elaborate

gcusello · ‎10-04-2021

Hi @Mukunda7,

if you want the path of the forwarders, you can use my search.

if you want the path and the filename of all log files, you can use a similar search:

| metasearch index=*
| stats count BY source

if instead you want only the path but not the filename of all log files, you can use a similar search:

for Windows servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\\\.+$"
| stats count BY log_path

for Linux servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\/.+$"
| stats count BY log_path

probably it will works also one search with both the regexes, but I cannt try it:

| metasearch index=* 
| rex field=source "(?<log_path>.*)((\\\)|(\/)).+$"
| stats count BY log_path

Ciao.

Giuseppe

Mukunda7 · ‎10-04-2021

@gcusello

Fantastic thanks. what can we add in the query to display names of respective servers and path and the filename of all log files.

gcusello · ‎10-04-2021

Hi @Mukunda7,

actually, i wanted to answer you in this fid way right away, but i forgot to edit the answer,

to have only the path,

you could use this search for windows servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\\\.+$"
| stats values(log_path) AS log_path count BY host

and for Linux servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\/.+$"
| stats values(log_path) AS log_path count BY host

if you want all the source files, you could use this search both for Windows and Linux:

| metasearch index=*
| stats values(source) AS source count BY host

Ciao.

Giuseppe

gcusello · ‎10-04-2021

Hi @Mukunda7,

good for you, see next time!

if this answer solves your need, please accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

gcusello · ‎10-04-2021

Hi @Mukunda7,

you should know where Universal Forwarder is installed on your servers, anyway, you could try a search like this:

index=_internal
| rex field=source "^(?<inst_path>.*splunkforwarder|splunkuniversalforwarder)"
| stats values(inst_path) AS inst_path BY host

Ciao.

Giuseppe

path or logfiles location for 1500 servers

field extraction

other

syslog

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake