Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What search query can I use on my search head to list all forwarder hosts and their associated Splunk forwarder versions?

locose
Path Finder
‎10-15-2014 12:06 PM

Greetings

Is there a query that I can use on my search head to list all my forwarder hosts and their associated splunk forwarder versions

Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-15-2014 12:14 PM

This is part of what the SoS app uses to update its forwarders lookup file:

  index=_internal source=*metrics.log* group=tcpin_connections | regex hostname!="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | eval sos_server=hostname | stats latest(build) AS build latest(arch) AS cpu_arch latest(fwdType) AS forwarder_type latest(os) AS os_name latest(version) AS version by sos_server

https://apps.splunk.com/app/748/

View solution in original post

Reply
Solved! Jump to solution

rameshyedurla
Explorer
‎01-22-2016 12:37 PM

I think this is what you are looking for:

index=_internal sourcetype=splunkd destPort!="-"| stats sparkline count by hostname, sourceHost, host, destPort, version | rename destPort as "Destination Port" | rename host as "Indexer" | rename sourceHost as "Forwarder IP" | rename version as "Splunk Forwarder Version" | rename hostname as "Forwarder Host Name" | rename sparkline as "Traffic Frequency" | sort - count

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-17-2016 06:45 AM

I used your solution to solve my question here.. Thanks for posting this!

https://answers.splunk.com/answers/379013/alert-if-a-forwarder-service-stops.html

Reply
Solved! Jump to solution

jeremiahc4
Builder
‎10-15-2014 12:48 PM

If you can't do SoS, then here's a simple search against the _internal index that works for me;

index=_internal sourcetype=splunkd version source=*metrics.log | table hostname os version build

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-15-2014 12:14 PM

This is part of what the SoS app uses to update its forwarders lookup file:

  index=_internal source=*metrics.log* group=tcpin_connections | regex hostname!="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | eval sos_server=hostname | stats latest(build) AS build latest(arch) AS cpu_arch latest(fwdType) AS forwarder_type latest(os) AS os_name latest(version) AS version by sos_server

https://apps.splunk.com/app/748/

Reply
Solved! Jump to solution

locose
Path Finder
‎10-15-2014 12:24 PM

Many thanks. That worked

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...