Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to determine which deployment server a forwarder is phoning home to?

keithyap
Path Finder
‎08-01-2016 08:33 PM

I have multiple deployment servers.The global deployment server is to distribute basic configurations and also configurations for the forwarder to connect to a regional deployment server.

I want to create a dashboard to monitor which deployment server a forwarder is currently reporting to. How do I get the deployment server that a forwarder is currently connected to ?

Any advise would be greatly appreciated. Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-02-2016 07:47 AM

Give this a try

index=_internal sourcetype=splunkd component=PubSubSvr  | rex "\/handshake\/reply\/(?P<DeploymentClient>[^\/]+)" | stats count by host DeploymentClient | rename host as DeploymentServer | fields - count

View solution in original post

Reply
Solved! Jump to solution

jeremiahc4
Builder
‎08-02-2016 07:59 AM

If you have access to the forwarder, you could run the CLI command to see what it's pointed to also;

$SPLUNK_HOME/bin/splunk show deploy-poll

http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/CLIadmincommands

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-02-2016 07:47 AM

Give this a try

index=_internal sourcetype=splunkd component=PubSubSvr  | rex "\/handshake\/reply\/(?P<DeploymentClient>[^\/]+)" | stats count by host DeploymentClient | rename host as DeploymentServer | fields - count

View solution in original post

Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎08-02-2016 07:31 AM

Maybe the following thread can point you in the right direction - How to determine if forwarder is phoning home to deployment server

It shows there - 

 index=_internal (*phonehome* component=DC*) OR (component=DC:HandshakeReplyHandler) host=hostname
 | sort _time
 | table _time host log_level message
0 Karma
Reply
The Latest From the Splunk Community!