Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

hosts reporting stats

FAnalyst
Engager
‎02-27-2025 04:51 AM

I see there is a forwarder management dashboard in the monitoring console  where you can check if the host is reporting or not , I want the search that is used as the table contains the host name and the IP address , also there is no option for export in that dashboard , there is another similar dashboard in the monitoring console named forwarder_deployment but does not show the IP address only the host name , can you help with that ?

Labels (1)
Labels
0 Karma
Reply

livehybrid
Super Champion
‎02-27-2025 06:04 AM

Hi @FAnalyst 

The answers provided so far look to either look at forwarders sending data to your Splunk indexers, or look at allowlist configurations in serverclasses, however I believe you are looking for the host and IP of deployment clients when they connect? If that is the case then try the below search:

 

| tstats latest(_time) as lastPhoneHome WHERE index=_dsphonehome earliest=-24h latest=now by data.clientId
| append 
    [| tstats latest(_time) as lastRestart where index=_dsclient earliest=0 latest=now by data.name, data.build, data.clientId, data.splunkVersion data.package, data.hostname]
    | stats latest(*) AS * by data.clientId
    | eval lastPhoneHomeFriendly=strftime(lastPhoneHome,"%d/%m/%Y %H:%M:%S")

 

livehybrid_1-1740665055320.png

This was tested on SPlunk 9.3 but I believe should work from <9.2

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma
Reply

kiran_panchavat
Influencer
‎02-27-2025 05:02 AM

@FAnalyst 

You should be able to get list of whitelist servers using following query.

| rest /services/deployment/server/serverclasses | table title whitelist.* | untable title whitelist hostname | stats count by hostname | table hostname

You can put it to in a lookup file or just use the rest query itself and compare it against deployment/server/clients to know which clients that are configured in serverclass.conf but not sending phonehome. Something like this

| rest /services/deployment/server/serverclasses | table title whitelist.* | untable title whitelist hostname | stats count by hostname | table hostname | eval state="configured" | append [| rest /services/deployment/server/clients | table title | rename title as hostname | eval state="phonehome" ] | stats values(state) as state by hostname | where mvcount(state)=1 AND state="configured"

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

kiran_panchavat
Influencer
‎02-27-2025 05:01 AM

@FAnalyst 

Use the below search to get an exportable list of deployment clients.

| rest splunk_server=local /services/deployment/server/clients 
| table hostname utsname 
| sort utsname

Another way to find forwarders is to search the internal index for incoming TCP connections.

index=_internal sourcetype=splunkd component=Metrics group=tcpin_connections 
| dedup sourceHost 
| table sourceHost fwdType

 

kiran_panchavat_0-1740661222740.png

To see all hosts that send data, not just forwarders, count the hosts found in all indexes.

| tstats count where index=* host=* by host
 
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

FAnalyst
Engager
‎02-27-2025 04:59 AM

thank you for your answer ,I tried the search you shared is does not show the IP  address of the hosts , also the number does not match the number showing in the forwarder management dashboard 

0 Karma
Reply

kiran_panchavat
Influencer
‎02-27-2025 05:04 AM

@FAnalyst 

Try this 

index=_internal sourcetype=splunkd component=Metrics group=tcpin_connections 
| dedup sourceHost 
| table sourceHost fwdType
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

Cievo
Path Finder
‎02-27-2025 04:53 AM

You can serch using following searches:

| tstats values(splunk_server) as Host, values(clientip) as IP
from _internal
where index=_internal sourcetype=splunkd
by host

or 

index=_internal sourcetype=splunkd
| stats values(clientip) as IP by host

Enjoy,

 

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top