Hello,
Can i please know how to get the all forwarders IP addresses that a reporting to splunk without use of internal index as some of the users don't have access to the internal data . Therefore, searches created with index=_internal will not work for those people. Is there anyway to create the search without of the use of that to get the all forwarders IP's ?
Best way would be to have a saved search, owned by your/splunk admin, which queries that data from _internal index and puts it to, 1) a lookup table, if number of clients is smaller (<10k), 2) summary index, for larger number of clients, make sure regular user have access to this summary index.
hey @kteng2024
Try this
| rest /services/deployment/server/clients | table dns ip | rename ip as forwarder_ip
let me know if this helps!
This would be a great method for admins to know the requested information. This REST endpoint is only available from Deployment server (unless Deployment server is added as search peer to search head). Furthermore, capability of running REST queries may not be available to regular users (depends upon authorization settings), making is less feasible.
You can create a dashboard that makes use of a savedsearch configured to run as the owner of the savedsearch, even if the users accessing the dashboard don't have permission to search _internal.
This recent answers post explains the concept.
Hi kteng2024,
you could create a scheduled search and put results in a lookup using outputlookup command.
In this way users with no access to _internal can have the result.
Bye.
Giuseppe
I use this as a saved search and have it Run As "owner".
index=_internal source=*metrics.log* group=tcpin_connections | regex hostname!="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | eval sos_server=hostname | stats latest(sourceIp) AS IP latest(arch) AS cpu_arch latest(fwdType) AS forwarder_type latest(os) AS os_name latest(version) AS version by sos_server
Thank you, that was I want to use to recognize some UF that we use to forward data to our ES environment and aren't under my administration.