Please help with an SPL to find IF multiple FWs ar...

SamHTexas · ‎06-14-2021

Please help with an SPL to find if multiple FWs are installed on a host & List of all hosts, OS & IPs.

gcusello · ‎06-14-2021

to understand if you have more than one Forwarder installed and running on the same host it's really difficoult because usually Forwarders take hostname from the server where thay are installed, so two forwarders on the same server send logs with the same hostname and you cannot distinguish them.

So if you have this doubs, the only way is to check the processes running on each server and find if there are more than one "splunkd" active process.

To do this you have to run a script that you can find in Splunk_TA_Windows (for Windows server) or in Splunk_TA_Linux (for Linux servers).

To have a list of all your servers with OS and IP you can use the search that you can find in the first panel of the "Forwarders: Deployment" dashboard of the MC, in other words:

| inputlookup dmc_forwarder_assets
| makemv delim=" " avg_tcp_kbps_sparkline
| eval sum_kb = if (status == "missing", "N/A", sum_kb)
| eval avg_tcp_kbps_sparkline = if (status == "missing", "N/A", avg_tcp_kbps_sparkline)
| eval avg_tcp_kbps = if (status == "missing", "N/A", avg_tcp_kbps)
| eval avg_tcp_eps = if (status == "missing", "N/A", avg_tcp_eps)
| `dmc_rename_forwarder_type(forwarder_type)`
| `dmc_time_format(last_connected)` | search NOT [| inputlookup dmc_assets | dedup serverName | rename serverName as hostname | fields hostname] | stats dc(guid) as "count" by status

Ciao.

Giuseppe

Please help with an SPL to find IF multiple FWs are installed on a host & List of all hosts, OS & IPs

forwarder management

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!