Get list of VM's from splunk

vj5 · ‎08-08-2018

Is there a way to get the list of VM's which is forwarding data to the Splunk ?

fferozbasha · ‎08-08-2018

index=_internal sourcetype=splunkd host= group=per_host_thruput | fields series | stats values(series) as hosts

renjith_nair · ‎08-08-2018

Try

|metadata type=hosts|table host

---
What goes around comes around. If it helps, hit it with Karma 🙂

fferozbasha · ‎08-08-2018

this will list out NOT just the hosts sending data BUT also our own host details such as Search head, indexers, Heavy weight forwarders

renjith_nair · ‎08-10-2018

If you need specifically UFs, then you could use below but the search will be slow.

index="_internal" source="*metrics.log*" group=tcpin_connections  fwdType=uf |stats count by hostname|fields - count

---
What goes around comes around. If it helps, hit it with Karma 🙂

adonio · ‎08-08-2018

sure,
how does these vms send data to splunk?
try this:
| tstats max(_time) as last_event where index=* by host
that will give you the last time (in epoch) a host (maybe a vm) reported to splunk

Get list of VM's from splunk

Get Operational Insights Quickly with Natural Language on the Splunk Platform

Stay Connected: Your Guide to August Tech Talks, Office Hours, and Webinars!

Unleash the Power of Splunk MCP and AI, Meet Us at .Conf 2025, and Find Even More New ...

Are you a member of the Splunk Community?

Get list of VM's from splunk

Get Operational Insights Quickly with Natural Language on the Splunk Platform

Stay Connected: Your Guide to August Tech Talks, Office Hours, and Webinars!

Unleash the Power of Splunk MCP and AI, Meet Us at .Conf 2025, and Find Even More New ...