Solved: Re: How to check successful checkins for Windows U...

OMohi · ‎05-22-2013

I would like to know whether there is a search query to determine successful check in for forwarders based on OS Windows. We can get the results from deployment monitor app, but we need solely results for windows servers. We have installed splunk forwarders on windows servers, around 100 + and want to know whether the deployment has been successful

lguinn2 · ‎05-22-2013

I like this search in general

 index=_internal source=*metrics.log group=tcpin_connections 
| eval sourceHost=if(isnull(hostname), sourceHost,hostname) 
| rename connectionType as connectType
| eval connectType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename version as Ver 
| fields connectType sourceIp sourceHost destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server Ver os arch
| eval Indexer= splunk_server
| eval Hour=relative_time(_time,"@h")
| stats avg(tcp_KBps) sum(tcp_eps) sum(tcp_Kprocessed) sum(kb) by Hour connectType os arch sourceIp sourceHost destPort Indexer Ver
| fieldformat Hour=strftime(Hour,"%x %H")

It's a variation of a search that I found in the old Deployment Monitor app a few years ago.
This search does not select based on OS, but you should be able to add a | where os="XXXX" at the end to restrict it to just the os that you want...

Update:

The search reports the amount of data that is sent from each forwarder to each indexer, hour by hour.
If you just want the overall, remove the Hour from the stats command.

View solution in original post

lguinn2 · ‎05-22-2013

I like this search in general

 index=_internal source=*metrics.log group=tcpin_connections 
| eval sourceHost=if(isnull(hostname), sourceHost,hostname) 
| rename connectionType as connectType
| eval connectType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename version as Ver 
| fields connectType sourceIp sourceHost destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server Ver os arch
| eval Indexer= splunk_server
| eval Hour=relative_time(_time,"@h")
| stats avg(tcp_KBps) sum(tcp_eps) sum(tcp_Kprocessed) sum(kb) by Hour connectType os arch sourceIp sourceHost destPort Indexer Ver
| fieldformat Hour=strftime(Hour,"%x %H")

It's a variation of a search that I found in the old Deployment Monitor app a few years ago.
This search does not select based on OS, but you should be able to add a | where os="XXXX" at the end to restrict it to just the os that you want...

Update:

The search reports the amount of data that is sent from each forwarder to each indexer, hour by hour.
If you just want the overall, remove the Hour from the stats command.

OMohi · ‎05-22-2013

Thanks for ur comment, but I see duplicate entries for hostnames, is it possible to fine tune the search and exclude hostnames repeating from the list

How to check successful checkins for Windows Universal forwaders

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

How to check successful checkins for Windows Universal forwaders

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25