Getting Data In

path or logfiles location for 1500 servers

Mukunda7
Explorer

Hey,

We have some 1500 servers where splunk forwarders installed. we need the path to find location of data or logs coming from these servers. Is there a simple way to do that?

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Mukunda7,

actually, i wanted to answer you in this fid way right away, but i forgot to edit the answer,

to have only the path,

you could use this search for windows servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\\\.+$"
| stats values(log_path) AS log_path count BY host

and for Linux servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\/.+$"
| stats values(log_path) AS log_path count BY host

if you want all the source files, you could use this search both for Windows and Linux:

| metasearch index=*
| stats values(source) AS source count BY host

 Ciao.

Giuseppe

View solution in original post

0 Karma

Mukunda7
Explorer

@gcusello 

thanks but the path we are getting here is of forwarders path or path of logs,file types we configured  to send to splunk ? please elaborate

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Mukunda7,

if you want the path of the forwarders, you can use my search.

if you want the path and the filename of all log files, you can use a similar search:

| metasearch index=*
| stats count BY source

 if instead you want only the path but not the filename of all log files, you can use a similar search:

for Windows servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\\\.+$"
| stats count BY log_path

for Linux servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\/.+$"
| stats count BY log_path

probably it will works also one search with both the regexes, but I cannt try it:

| metasearch index=* 
| rex field=source "(?<log_path>.*)((\\\)|(\/)).+$"
| stats count BY log_path

Ciao.

Giuseppe

Mukunda7
Explorer

@gcusello 

Fantastic thanks. what can we add in the query to display names of respective servers and path and the filename of all log files. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Mukunda7,

actually, i wanted to answer you in this fid way right away, but i forgot to edit the answer,

to have only the path,

you could use this search for windows servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\\\.+$"
| stats values(log_path) AS log_path count BY host

and for Linux servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\/.+$"
| stats values(log_path) AS log_path count BY host

if you want all the source files, you could use this search both for Windows and Linux:

| metasearch index=*
| stats values(source) AS source count BY host

 Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Mukunda7,

good for you, see next time!

if this answer solves your need, please accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Mukunda7,

you should know where Universal Forwarder is installed on your servers, anyway, you could try a search like this:

index=_internal
| rex field=source "^(?<inst_path>.*splunkforwarder|splunkuniversalforwarder)"
| stats values(inst_path) AS inst_path BY host

Ciao.

Giuseppe

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...