Get list of VM's from splunk

vj5 · ‎08-08-2018

Is there a way to get the list of VM's which is forwarding data to the Splunk ?

fferozbasha · ‎08-08-2018

index=_internal sourcetype=splunkd host= group=per_host_thruput | fields series | stats values(series) as hosts

renjith_nair · ‎08-08-2018

Try

|metadata type=hosts|table host

---
What goes around comes around. If it helps, hit it with Karma 🙂

fferozbasha · ‎08-08-2018

this will list out NOT just the hosts sending data BUT also our own host details such as Search head, indexers, Heavy weight forwarders

renjith_nair · ‎08-10-2018

If you need specifically UFs, then you could use below but the search will be slow.

index="_internal" source="*metrics.log*" group=tcpin_connections  fwdType=uf |stats count by hostname|fields - count

---
What goes around comes around. If it helps, hit it with Karma 🙂

adonio · ‎08-08-2018

sure,
how does these vms send data to splunk?
try this:
| tstats max(_time) as last_event where index=* by host
that will give you the last time (in epoch) a host (maybe a vm) reported to splunk

Get list of VM's from splunk

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?