Splunk Search

How to check successful checkins for Windows Universal forwaders

Path Finder

I would like to know whether there is a search query to determine successful check in for forwarders based on OS Windows. We can get the results from deployment monitor app, but we need solely results for windows servers. We have installed splunk forwarders on windows servers, around 100 + and want to know whether the deployment has been successful

Tags (3)
0 Karma
1 Solution

Legend

I like this search in general

 index=_internal source=*metrics.log group=tcpin_connections 
| eval sourceHost=if(isnull(hostname), sourceHost,hostname) 
| rename connectionType as connectType
| eval connectType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename version as Ver 
| fields connectType sourceIp sourceHost destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server Ver os arch
| eval Indexer= splunk_server
| eval Hour=relative_time(_time,"@h")
| stats avg(tcp_KBps) sum(tcp_eps) sum(tcp_Kprocessed) sum(kb) by Hour connectType os arch sourceIp sourceHost destPort Indexer Ver
| fieldformat Hour=strftime(Hour,"%x %H")

It's a variation of a search that I found in the old Deployment Monitor app a few years ago.
This search does not select based on OS, but you should be able to add a | where os="XXXX" at the end to restrict it to just the os that you want...

Update:

The search reports the amount of data that is sent from each forwarder to each indexer, hour by hour.
If you just want the overall, remove the Hour from the stats command.

View solution in original post

0 Karma

Legend

I like this search in general

 index=_internal source=*metrics.log group=tcpin_connections 
| eval sourceHost=if(isnull(hostname), sourceHost,hostname) 
| rename connectionType as connectType
| eval connectType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder")
| eval version=if(isnull(version),"pre 4.2",version)
| rename version as Ver 
| fields connectType sourceIp sourceHost destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server Ver os arch
| eval Indexer= splunk_server
| eval Hour=relative_time(_time,"@h")
| stats avg(tcp_KBps) sum(tcp_eps) sum(tcp_Kprocessed) sum(kb) by Hour connectType os arch sourceIp sourceHost destPort Indexer Ver
| fieldformat Hour=strftime(Hour,"%x %H")

It's a variation of a search that I found in the old Deployment Monitor app a few years ago.
This search does not select based on OS, but you should be able to add a | where os="XXXX" at the end to restrict it to just the os that you want...

Update:

The search reports the amount of data that is sent from each forwarder to each indexer, hour by hour.
If you just want the overall, remove the Hour from the stats command.

View solution in original post

0 Karma

Path Finder

Thanks for ur comment, but I see duplicate entries for hostnames, is it possible to fine tune the search and exclude hostnames repeating from the list

0 Karma