Splunk Search

Is there an SPL query to know the last date UFs phoned in to a specific DS?

So76
Explorer

Is there an SPL query to know the last date  UFs phoned in to a specific DS. We've many DS in our company

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @So76,

you can use the search from @Roy_9 that's correct or to use the Monitoring Console that gives you all the information about Forwarders, not only last phoned date.

Ciao.

Giuseppe

0 Karma

Roy_9
Motivator

below search  gives you the list of UF's that haven't phoned in last 24 hours, you could tweak this search.

| rest splunk_server=local /services/deployment/server/clients | eval now=now(), diffTime=now-lastPhoneHomeTime, lastPhoneHomeTime=strftime(lastPhoneHomeTime,"%b %d, %Y %H:%M:%S") | search diffTime>86400 | table hostname ip instanceName utsname package splunkVersion lastPhoneHomeTime

0 Karma

So76
Explorer

Thanks for you prompt response. Can it be narrowed to a specific DS? We've multiple DS

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @So76,

for this reasono, Monitoring Console is the easiest way.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @So76 ,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors;-)

0 Karma

So76
Explorer

used the monitoring console 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...