Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Definitive way to determine whether or not a machine is communicating with Splunk whether Windows or Unix?

infra2sec
Path Finder
‎07-29-2016 07:27 AM

Does anyone know how to generally quantify within a report or otherwise whether or not a system with an OS of any type is communicating with Splunk? I am sure that routers will be involved with my quest as well.

Thanks in advance.

Tags (1)
0 Karma
Reply

lycollicott
Motivator
‎07-29-2016 07:38 AM

index=_internal component=HttpPubSubConnection | table host | dedup host | sort host

0 Karma
Reply

twinspop
Influencer
‎07-29-2016 07:35 AM 
index=_internal  component=Metrics group=tcpin_connections

Those logs contain version and OS info. Slice and dice with stats as needed.

EDIT: Something like this, where _time will be the last time it logged:

EDIT EDIT: changed host to hostname (duh)

index=_internal  component=Metrics group=tcpin_connections | stats latest(_time) as _time latest(build) as Build latest(version) as SplunkVersion latest(os) as OS latest(fwdType) as SplunkType values(lastIndexer) as Indexers by hostname
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...