Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Get sources configured under all apps in deployment server splunk

SrinivasaC
Path Finder
‎08-02-2016 06:10 AM

Hi,

We have 100 's of in our splunk system, what i need is, what are configured Forwarder Inputs in splunk system for all the apps using Splunk query.
i.e we have configured all the logs under inputs.conf for each app with monitor stanza around 100's of logs.

So I need to get all the logs files using Splunk Query.

Please help me.

Thanks in advance.

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-02-2016 08:02 AM

The metadata command may be what you are looking for.

| metadata type=sources

will give you a list of all sources.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

SrinivasaC
Path Finder
‎08-03-2016 03:51 AM

Thanks for your reply..
It's giving only reported logs/sources with in the time-frame (i.e. last 15mins, 60mins, 4hrs...etc..), but not configured sources under inputs.conf file in deployment server.

0 Karma
Reply

Runals
Motivator
‎08-03-2016 09:47 AM

Splunk doesn't track/log the config files in the deployment-apps directory so there isn't anything to search. You'd have to do something like have a script generate that data (ie cat) on some interval. You could add the directory to the list of inputs easy enough but once the files are read in Splunk will only read them in if they have changed which is why I mentioned the script.

0 Karma
Reply

SrinivasaC
Path Finder
‎08-11-2016 04:49 AM

Have you check out the DeploymentMonitor app. It ships with Splunk, but is not enabled by default.

To enable it, go to Manager -> Apps and click 'enable' for the SplunkDeploymentMonitor

Then you can choose DeploymentMonitor in the 'Apps' menu (it will not have much data to show right away, since it works with scheduled searches). You can set up alerts for 'quiet' or 'missing' forwarders.

source will help:
https://answers.splunk.com/answers/48209/best-way-to-alert-for-not-receiving-data-from-a-source.html

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...