Splunk Search
Highlighted

How to get the forwarder IP address reproting to splunk

Path Finder

Hello,

Can i please know how to get the all forwarders IP addresses that a reporting to splunk without use of internal index as some of the users don't have access to the internal data . Therefore, searches created with index=_internal will not work for those people. Is there anyway to create the search without of the use of that to get the all forwarders IP's ?

0 Karma
Highlighted

Re: How to get the forwarder IP address reproting to splunk

Builder

I use this as a saved search and have it Run As "owner".

index=_internal source=*metrics.log* group=tcpin_connections | regex hostname!="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | eval sos_server=hostname | stats latest(sourceIp) AS IP latest(arch) AS cpu_arch latest(fwdType) AS forwarder_type latest(os) AS os_name latest(version) AS version  by sos_server
0 Karma
Highlighted

Re: How to get the forwarder IP address reproting to splunk

Legend

Hi kteng2024,
you could create a scheduled search and put results in a lookup using outputlookup command.
In this way users with no access to _internal can have the result.
Bye.
Giuseppe

0 Karma
Highlighted

Re: How to get the forwarder IP address reproting to splunk

Champion

You can create a dashboard that makes use of a savedsearch configured to run as the owner of the savedsearch, even if the users accessing the dashboard don't have permission to search _internal.

This recent answers post explains the concept.

0 Karma
Highlighted

Re: How to get the forwarder IP address reproting to splunk

SplunkTrust
SplunkTrust

hey @kteng2024

Try this

  | rest /services/deployment/server/clients  | table dns ip  | rename ip as forwarder_ip

let me know if this helps!

0 Karma
Highlighted

Re: How to get the forwarder IP address reproting to splunk

SplunkTrust
SplunkTrust

This would be a great method for admins to know the requested information. This REST endpoint is only available from Deployment server (unless Deployment server is added as search peer to search head). Furthermore, capability of running REST queries may not be available to regular users (depends upon authorization settings), making is less feasible.

0 Karma
Highlighted

Re: How to get the forwarder IP address reproting to splunk

SplunkTrust
SplunkTrust

Best way would be to have a saved search, owned by your/splunk admin, which queries that data from _internal index and puts it to, 1) a lookup table, if number of clients is smaller (<10k), 2) summary index, for larger number of clients, make sure regular user have access to this summary index.

0 Karma