Splunk Search
Highlighted

Find where a forwarder is forwarding too

Communicator

Hey Guys

I have multiple DMZs with forwarders all over the places that send to specific main forwarders if you like and then onto the indexer, is there a search that anyone knows of that I can run on a host to tell me where that device is set to forward too, I have a few boxs I need to jump on but its would be better if I can run a search as to jumping through hoops to log onto the actual device its self.

Thanks

Aaron

Tags (2)
0 Karma
Highlighted

Re: Find where a forwarder is forwarding too

SplunkTrust
SplunkTrust

Hi AaronMoorcroft

assuming your forwarders are forwarding their _internal index, you can use the following search to find the tcpout connection targets for all forwarders:

index=_internal source=*metrics.log* group=tcpout_connections | chart values(destIp) by host

hope this helps...

cheers, MuS

Highlighted

Re: Find where a forwarder is forwarding too

Champion

This approach might work even if only the intermediate forwarders are sending their _internal index events; you'd see incoming connections from the various forwarders in the metrics.log.

0 Karma
Highlighted

Re: Find where a forwarder is forwarding too

Communicator

That does seem to bring a few up with the expected results but by no means all, do you have any further advice ?

0 Karma
Highlighted

Re: Find where a forwarder is forwarding too

SplunkTrust
SplunkTrust

as I said, you need to have the forwarders _internal available. Another way would be to use the REST endpoint /data/outputs/tcp/ but again, this must be done against each forwarder. I would suggest to enable _internal forwarding this would also help in any case of troubleshooting future issues.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.