- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get the forwarder IP address reproting to s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get the forwarder IP address reproting to splunk
Hello,
Can i please know how to get the all forwarders IP addresses that a reporting to splunk without use of internal index as some of the users don't have access to the internal data . Therefore, searches created with index=_internal will not work for those people. Is there anyway to create the search without of the use of that to get the all forwarders IP's ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best way would be to have a saved search, owned by your/splunk admin, which queries that data from _internal index and puts it to, 1) a lookup table, if number of clients is smaller (<10k), 2) summary index, for larger number of clients, make sure regular user have access to this summary index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey @kteng2024
Try this
| rest /services/deployment/server/clients | table dns ip | rename ip as forwarder_ip
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This would be a great method for admins to know the requested information. This REST endpoint is only available from Deployment server (unless Deployment server is added as search peer to search head). Furthermore, capability of running REST queries may not be available to regular users (depends upon authorization settings), making is less feasible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can create a dashboard that makes use of a savedsearch configured to run as the owner of the savedsearch, even if the users accessing the dashboard don't have permission to search _internal.
This recent answers post explains the concept.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi kteng2024,
you could create a scheduled search and put results in a lookup using outputlookup command.
In this way users with no access to _internal can have the result.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I use this as a saved search and have it Run As "owner".
index=_internal source=*metrics.log* group=tcpin_connections | regex hostname!="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | eval sos_server=hostname | stats latest(sourceIp) AS IP latest(arch) AS cpu_arch latest(fwdType) AS forwarder_type latest(os) AS os_name latest(version) AS version by sos_server
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, that was I want to use to recognize some UF that we use to forward data to our ES environment and aren't under my administration.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
