Monitoring Splunk

Please help with an SPL to find IF multiple FWs are installed on a host & List of all hosts, OS & IPs

SamHTexas
Builder

Please help with an SPL to find if multiple FWs are installed on a host & List of all hosts, OS & IPs. 

Labels (1)
Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SamHTexas,

to understand if you have more than one Forwarder installed and running on the same host it's really difficoult because usually Forwarders take hostname from the server where thay are installed, so two forwarders on the same server send logs with the same hostname and you cannot distinguish them.

So if you have this doubs, the only way is to check the processes running on each server and find if there are more than one "splunkd" active process.

To do this you have to run a script that you can find in Splunk_TA_Windows (for Windows server) or in Splunk_TA_Linux (for Linux servers).

To have a list of all your servers with OS and IP you can use the search that you can find in the first panel of the "Forwarders: Deployment" dashboard of the MC, in other words:

| inputlookup dmc_forwarder_assets
| makemv delim=" " avg_tcp_kbps_sparkline
| eval sum_kb = if (status == "missing", "N/A", sum_kb)
| eval avg_tcp_kbps_sparkline = if (status == "missing", "N/A", avg_tcp_kbps_sparkline)
| eval avg_tcp_kbps = if (status == "missing", "N/A", avg_tcp_kbps)
| eval avg_tcp_eps = if (status == "missing", "N/A", avg_tcp_eps)
| `dmc_rename_forwarder_type(forwarder_type)`
| `dmc_time_format(last_connected)` | search NOT [| inputlookup dmc_assets | dedup serverName | rename serverName as hostname | fields hostname] | stats dc(guid) as "count" by status

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...