Does anyone have a query that lists UF hosts by version and serverclass?
I need a report that provides
host= <foo> Splunk Version = <version num> ServerClass = <bar>
You can use below search. Thanks to @gcusello , I added splunkVersion to his search.
| rest splunk_server=local /services/deployment/server/clients
| table hostname ip utsname *.restartSplunkd splunkVersion
| eval temp=hostname."#".ip."#".utsname."#".splunkVersion
| table temp *.restartSplunkd splunkVersion
| eval application.NoApp.restartSplunkd=0
| untable temp apps count
| eval Apps=if(like(apps,"app%"),mvindex(split(apps,"."),1),null())
| eval ServerClass=if(like(apps,"server%"),mvindex(split(apps,"."),1),null() )
| rex field=temp "(?<Host>.*)#(?<Host_IP>.*)#(?<Machine_Type>.*)#(?<splunkVersion>.*)"
| table Host Host_IP Machine_Type Apps ServerClass splunkVersion
| stats Values(*) as * dc(Apps) AS dc_apps by Host Host_IP Machine_Type splunkVersion
| eval Apps=if(dc_apps=1,Apps,mvindex(Apps,1,10))
| nomv Apps
| nomv ServerClass
| fillnull value="NoSC" ServerClass
| eval dc_apps=dc_apps-1
View solution in original post
only flaw with the query is that the app counts are not quite right, but it gets me going, thx