Solved: path or logfiles location for 1500 servers

Mukunda7 · ‎10-04-2021

Hey,

We have some 1500 servers where splunk forwarders installed. we need the path to find location of data or logs coming from these servers. Is there a simple way to do that?

gcusello · ‎10-04-2021

Hi @Mukunda7,

actually, i wanted to answer you in this fid way right away, but i forgot to edit the answer,

to have only the path,

you could use this search for windows servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\\\.+$"
| stats values(log_path) AS log_path count BY host

and for Linux servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\/.+$"
| stats values(log_path) AS log_path count BY host

if you want all the source files, you could use this search both for Windows and Linux:

| metasearch index=*
| stats values(source) AS source count BY host

Ciao.

Giuseppe

View solution in original post

Mukunda7 · ‎10-04-2021

@gcusello

thanks but the path we are getting here is of forwarders path or path of logs,file types we configured to send to splunk ? please elaborate

gcusello · ‎10-04-2021

Hi @Mukunda7,

if you want the path of the forwarders, you can use my search.

if you want the path and the filename of all log files, you can use a similar search:

| metasearch index=*
| stats count BY source

if instead you want only the path but not the filename of all log files, you can use a similar search:

for Windows servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\\\.+$"
| stats count BY log_path

for Linux servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\/.+$"
| stats count BY log_path

probably it will works also one search with both the regexes, but I cannt try it:

| metasearch index=* 
| rex field=source "(?<log_path>.*)((\\\)|(\/)).+$"
| stats count BY log_path

Ciao.

Giuseppe

Mukunda7 · ‎10-04-2021

@gcusello

Fantastic thanks. what can we add in the query to display names of respective servers and path and the filename of all log files.

gcusello · ‎10-04-2021

Hi @Mukunda7,

actually, i wanted to answer you in this fid way right away, but i forgot to edit the answer,

to have only the path,

you could use this search for windows servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\\\.+$"
| stats values(log_path) AS log_path count BY host

and for Linux servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\/.+$"
| stats values(log_path) AS log_path count BY host

if you want all the source files, you could use this search both for Windows and Linux:

| metasearch index=*
| stats values(source) AS source count BY host

Ciao.

Giuseppe

gcusello · ‎10-04-2021

Hi @Mukunda7,

good for you, see next time!

if this answer solves your need, please accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

gcusello · ‎10-04-2021

Hi @Mukunda7,

you should know where Universal Forwarder is installed on your servers, anyway, you could try a search like this:

index=_internal
| rex field=source "^(?<inst_path>.*splunkforwarder|splunkuniversalforwarder)"
| stats values(inst_path) AS inst_path BY host

Ciao.

Giuseppe

path or logfiles location for 1500 servers

field extraction

Other

syslog

Buttercup Games: Further Dashboarding Techniques (Part 3)

Digital Resilience Assessment Launch | How prepared are you for disruption?

Buttercup Games: Further Dashboarding Techniques (Part 2)