Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search query to fetch the list of servers

sarahnazzar
Explorer
‎05-11-2020 04:25 AM

Hi Splunkers!

I'm trying to frame a query which fetches the list of servers that connects my deployment servers but do not send any external or internal logs to the same.

my query for the host last accessed time using metadata is working fine.. but above criteria is not working as expected.. its fetching all the servers connecting to my deployment server.

Thanks in Advance!

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-12-2020 04:15 AM 
 index=_internal sourcetype=splunkd phone home NOT [ | tstats count where index=* OR index=_* | fields host | return host]

Above might work to show you hosts that have phone home without showing those that have sent in data.

0 Karma
Reply

shivanshu1593
Builder
‎05-11-2020 05:45 AM

I'm assuming you're talking about the forwarders, connecting to your deployment master. Technically speaking, if a forwarder connects to a deployment master, then it means it is sending some sort of Internal data or phoning home. If you want to check which forwarders are reporting and which aren't, then the simplest way is to go to Settings -> Monitoring Console -> Forwarders -> Forwarders - deployment and scroll down to see the status of all of your forwarders, who are and have reported to your deployment master in the past. Those with the status of active are sending at least their Internal logs and those who are missing are not sending anything. If you want the report out of it, in the bottom of the panel, you'll find the Open in search option. You can click that.

If your looking at your Indexers, then opening Indexers' CM will give you an insight. If you're looking for something else, then please describe your problem in detail.

Hope this helps.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-12-2020 04:10 AM

Slight correction: It's called a deployment server not a deployment master.

0 Karma
Reply

shivanshu1593
Builder
‎05-12-2020 05:56 AM

Agreed. Thank you for the correction @jkat54 . I answer via my phone, and auto correct must have changed it.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
Reply

sarahnazzar
Explorer
‎05-12-2020 03:25 AM

This option is not enabled. Could you please help on the search query when we click on open in search..

Thanks! @shivanshu1593

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-11-2020 05:22 AM

share your work...

what search have you tried for the metadata?

what are you missing from the search that is working?

whats an example of the final results you desire?

0 Karma
Reply

sarahnazzar
Explorer
‎05-12-2020 03:27 AM

I tried checking the last accessed time.. @jkat54

| metadata type=hosts |where recentTime < now() - 86400 | eval lastaccessedtime= strftime(recentTime, "%F %T") |table host lastaccessedtime

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...