Monitoring Splunk

hosts reporting stats

FAnalyst
Engager

I see there is a forwarder management dashboard in the monitoring console  where you can check if the host is reporting or not , I want the search that is used as the table contains the host name and the IP address , also there is no option for export in that dashboard , there is another similar dashboard in the monitoring console named forwarder_deployment but does not show the IP address only the host name , can you help with that ?

Labels (1)
0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @FAnalyst 

The answers provided so far look to either look at forwarders sending data to your Splunk indexers, or look at allowlist configurations in serverclasses, however I believe you are looking for the host and IP of deployment clients when they connect? If that is the case then try the below search:

 

| tstats latest(_time) as lastPhoneHome WHERE index=_dsphonehome earliest=-24h latest=now by data.clientId
| append 
    [| tstats latest(_time) as lastRestart where index=_dsclient earliest=0 latest=now by data.name, data.build, data.clientId, data.splunkVersion data.package, data.hostname]
    | stats latest(*) AS * by data.clientId
    | eval lastPhoneHomeFriendly=strftime(lastPhoneHome,"%d/%m/%Y %H:%M:%S")

 

livehybrid_1-1740665055320.png

This was tested on SPlunk 9.3 but I believe should work from <9.2

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

0 Karma

kiran_panchavat
SplunkTrust
SplunkTrust

@FAnalyst 

You should be able to get list of whitelist servers using following query.

| rest /services/deployment/server/serverclasses | table title whitelist.* | untable title whitelist hostname | stats count by hostname | table hostname

You can put it to in a lookup file or just use the rest query itself and compare it against deployment/server/clients to know which clients that are configured in serverclass.conf but not sending phonehome. Something like this

| rest /services/deployment/server/serverclasses | table title whitelist.* | untable title whitelist hostname | stats count by hostname | table hostname | eval state="configured" | append [| rest /services/deployment/server/clients | table title | rename title as hostname | eval state="phonehome" ] | stats values(state) as state by hostname | where mvcount(state)=1 AND state="configured"

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma

kiran_panchavat
SplunkTrust
SplunkTrust

@FAnalyst 

Use the below search to get an exportable list of deployment clients.

| rest splunk_server=local /services/deployment/server/clients 
| table hostname utsname
| sort utsname

Another way to find forwarders is to search the internal index for incoming TCP connections.

index=_internal sourcetype=splunkd component=Metrics group=tcpin_connections 
| dedup sourceHost
| table sourceHost fwdType

 

kiran_panchavat_0-1740661222740.png

To see all hosts that send data, not just forwarders, count the hosts found in all indexes.

| tstats count where index=* host=* by host
 
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma

FAnalyst
Engager

thank you for your answer ,I tried the search you shared is does not show the IP  address of the hosts , also the number does not match the number showing in the forwarder management dashboard 

0 Karma

kiran_panchavat
SplunkTrust
SplunkTrust

@FAnalyst 

Try this 

index=_internal sourcetype=splunkd component=Metrics group=tcpin_connections 
| dedup sourceHost
| table sourceHost fwdType
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma

Cievo
Path Finder

You can serch using following searches:

| tstats values(splunk_server) as Host, values(clientip) as IP
from _internal
where index=_internal sourcetype=splunkd
by host

or 

index=_internal sourcetype=splunkd
| stats values(clientip) as IP by host

Enjoy,

 

0 Karma
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...