Security

How do you build a search that gets a list of forwarders using SSL with successful connections?

guheal
New Member

Can you help me make a search/query so I can get a list of forwarders using SSL with successful connections?

Tags (2)
0 Karma

zrxcrasher
Loves-to-Learn Lots

I am working on the following which gives a more complete picture. Downloading to XLS and then turning on filtering allows you to easily see OS type, ForwarderType, Version, lastIndexer communicated with, etc.

index=_internal source=*metrics.log component=Metrics group=tcpin_connections
| dedup hostname
| table hostname, sourceIp, os, arch, fwdType, version, ssl, guid, lastIndexer, _time
| sort hostname

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

Hi @guheal,

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma

inventsekar
SplunkTrust
SplunkTrust

This works fine on my Splunk 7.0.3
index=_internal source=*metrics.log group=tcpin_connections ssl=true

To have the forwarder and the connect time as a table -
index=_internal source=*metrics.log group=tcpin_connections ssl=true | table sourceHost _time

Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...