Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What search query can I use on my search head to list all forwarder hosts and their associated Splunk forwarder versions?

locose
Path Finder
‎10-15-2014 12:06 PM

Greetings

Is there a query that I can use on my search head to list all my forwarder hosts and their associated splunk forwarder versions

Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-15-2014 12:14 PM

This is part of what the SoS app uses to update its forwarders lookup file:

  index=_internal source=*metrics.log* group=tcpin_connections | regex hostname!="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | eval sos_server=hostname | stats latest(build) AS build latest(arch) AS cpu_arch latest(fwdType) AS forwarder_type latest(os) AS os_name latest(version) AS version by sos_server

https://apps.splunk.com/app/748/

View solution in original post

Reply
Solved! Jump to solution

rameshyedurla
Explorer
‎01-22-2016 12:37 PM

I think this is what you are looking for:

index=_internal sourcetype=splunkd destPort!="-"| stats sparkline count by hostname, sourceHost, host, destPort, version | rename destPort as "Destination Port" | rename host as "Indexer" | rename sourceHost as "Forwarder IP" | rename version as "Splunk Forwarder Version" | rename hostname as "Forwarder Host Name" | rename sparkline as "Traffic Frequency" | sort - count

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-17-2016 06:45 AM

I used your solution to solve my question here.. Thanks for posting this!

https://answers.splunk.com/answers/379013/alert-if-a-forwarder-service-stops.html

Reply
Solved! Jump to solution

jeremiahc4
Builder
‎10-15-2014 12:48 PM

If you can't do SoS, then here's a simple search against the _internal index that works for me;

index=_internal sourcetype=splunkd version source=*metrics.log | table hostname os version build

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-15-2014 12:14 PM

This is part of what the SoS app uses to update its forwarders lookup file:

  index=_internal source=*metrics.log* group=tcpin_connections | regex hostname!="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | eval sos_server=hostname | stats latest(build) AS build latest(arch) AS cpu_arch latest(fwdType) AS forwarder_type latest(os) AS os_name latest(version) AS version by sos_server

https://apps.splunk.com/app/748/

Reply
Solved! Jump to solution

locose
Path Finder
‎10-15-2014 12:24 PM

Many thanks. That worked

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...