Getting Data In

path or logfiles location for 1500 servers

Mukunda7
Explorer

Hey,

We have some 1500 servers where splunk forwarders installed. we need the path to find location of data or logs coming from these servers. Is there a simple way to do that?

Labels (3)
0 Karma
1 Solution

gcusello
Esteemed Legend

Hi @Mukunda7,

actually, i wanted to answer you in this fid way right away, but i forgot to edit the answer,

to have only the path,

you could use this search for windows servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\\\.+$"
| stats values(log_path) AS log_path count BY host

and for Linux servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\/.+$"
| stats values(log_path) AS log_path count BY host

if you want all the source files, you could use this search both for Windows and Linux:

| metasearch index=*
| stats values(source) AS source count BY host

 Ciao.

Giuseppe

View solution in original post

0 Karma

Mukunda7
Explorer

@gcusello 

thanks but the path we are getting here is of forwarders path or path of logs,file types we configured  to send to splunk ? please elaborate

 

0 Karma

gcusello
Esteemed Legend

Hi @Mukunda7,

if you want the path of the forwarders, you can use my search.

if you want the path and the filename of all log files, you can use a similar search:

| metasearch index=*
| stats count BY source

 if instead you want only the path but not the filename of all log files, you can use a similar search:

for Windows servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\\\.+$"
| stats count BY log_path

for Linux servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\/.+$"
| stats count BY log_path

probably it will works also one search with both the regexes, but I cannt try it:

| metasearch index=* 
| rex field=source "(?<log_path>.*)((\\\)|(\/)).+$"
| stats count BY log_path

Ciao.

Giuseppe

Mukunda7
Explorer

@gcusello 

Fantastic thanks. what can we add in the query to display names of respective servers and path and the filename of all log files. 

0 Karma

gcusello
Esteemed Legend

Hi @Mukunda7,

actually, i wanted to answer you in this fid way right away, but i forgot to edit the answer,

to have only the path,

you could use this search for windows servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\\\.+$"
| stats values(log_path) AS log_path count BY host

and for Linux servers:

| metasearch index=*
| rex field=source "(?<log_path>.*)\/.+$"
| stats values(log_path) AS log_path count BY host

if you want all the source files, you could use this search both for Windows and Linux:

| metasearch index=*
| stats values(source) AS source count BY host

 Ciao.

Giuseppe

0 Karma

gcusello
Esteemed Legend

Hi @Mukunda7,

good for you, see next time!

if this answer solves your need, please accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

0 Karma

gcusello
Esteemed Legend

Hi @Mukunda7,

you should know where Universal Forwarder is installed on your servers, anyway, you could try a search like this:

index=_internal
| rex field=source "^(?<inst_path>.*splunkforwarder|splunkuniversalforwarder)"
| stats values(inst_path) AS inst_path BY host

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...