Hi,
I am attempting to determine if Splunk is installed on all of our local systems within our environment. Is there a way to check this through Tags, the Windows Registry (regedit), or ParentProcessname or a PowerShell script? If so, could you please provide guidance on the process?
Thanks
@gcusello
What is the validation criteria for Splunk UniversalForwarder ?
hi @AL3Z,
the validation criteria is the presence both in the lookup and in the search results of each host.
ciao.
Giuseppe
Hi @gcusello I need something like below
Name | Common Check | Tool Specific | |
Running Service Name | Application Name in Control Panel |
| |
UF | Splunk Forwarder | UF | How we can check the presence of uf like Path etc., |
Hi @AL3Z ,
let me understand: you can check the activity of a Universal Forwarder searching on Splunk if it sends internal logs.
If it's down it doesn't send logs, but it's installed:
what do you want to check?
Then how do you want to merge Splunk data with other data as the one in the first row of your table?
It isn't clear for me how do you take data.
ciao.
Giuseppe
Hello @gcusello,
We are currently working on a script to verify the existence of various tools, including Tanium, Forescout, Akamai, and Splunk Forwarder, on all the machines.
Hi @AL3Z,
if you need a script outside Splunk, if check the presence of Splunk installation you have to check if the splunk folder (for Splunk server) or the splunkforwarder folder (for Universal Forwarders).
If you want to check the Splunk activity you have tosearch for the splunkd process that's present both in Windows and Linux.
In linux is:
ps -eafd | grep splunkd
in windows there's the command tasklist but I'm not a windows specialist.
Ciao.
Giuseppe
For UF, Can you pls provide with the search to find all the host contains Forwarder !
Hi @AL3Z,
for forwarders, you should have a list of all the UFs to monitor in a lookup calleg e.g. perimeter.csv, containing at least one field (host).
Then you can run a search like the following:
| tstats count WHERE index=_internal BY host
| eval host=lower(host)
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| where total=0
in this way you have the list of UFs not sending logs.
If you want a table with all hosts with their status, you could run something like this:
| tstats count WHERE index=_internal BY host
| eval host=lower(host)
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| eval status=if(total=0,"Missing","Present)
Ciao.
Giuseppe
For SE, Its not possible to access the interface or check if the Splunk process is active for all other machines from my machine.
Hi @AL3Z,
are youskeaking of Splunk Enterprise or Splunk Universal Forwarder?
if SE, you can try to access the interface or check if the Splunk process is active.
if UF, you can see in Splunk if you have internal logs (index=_internal host=<your_host>), or check if the Splunk process is active.
Ciao.
Giuseppe