Splunk Search

Find where a forwarder is forwarding too

AaronMoorcroft
Communicator

Hey Guys

I have multiple DMZs with forwarders all over the places that send to specific main forwarders if you like and then onto the indexer, is there a search that anyone knows of that I can run on a host to tell me where that device is set to forward too, I have a few boxs I need to jump on but its would be better if I can run a search as to jumping through hoops to log onto the actual device its self.

Thanks

Aaron

Tags (2)
0 Karma

MuS
Legend

Hi AaronMoorcroft

assuming your forwarders are forwarding their _internal index, you can use the following search to find the tcpout connection targets for all forwarders:

index=_internal source=*metrics.log* group=tcpout_connections | chart values(destIp) by host

hope this helps...

cheers, MuS

MuS
Legend

as I said, you need to have the forwarders _internal available. Another way would be to use the REST endpoint /data/outputs/tcp/ but again, this must be done against each forwarder. I would suggest to enable _internal forwarding this would also help in any case of troubleshooting future issues.

0 Karma

AaronMoorcroft
Communicator

That does seem to bring a few up with the expected results but by no means all, do you have any further advice ?

0 Karma

sowings
Splunk Employee
Splunk Employee

This approach might work even if only the intermediate forwarders are sending their _internal index events; you'd see incoming connections from the various forwarders in the metrics.log.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...