Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What search query can I use on my search head to list all forwarder hosts and their associated Splunk forwarder versions?

locose
Path Finder
‎10-15-2014 12:06 PM

Greetings

Is there a query that I can use on my search head to list all my forwarder hosts and their associated splunk forwarder versions

Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-15-2014 12:14 PM

This is part of what the SoS app uses to update its forwarders lookup file:

  index=_internal source=*metrics.log* group=tcpin_connections | regex hostname!="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | eval sos_server=hostname | stats latest(build) AS build latest(arch) AS cpu_arch latest(fwdType) AS forwarder_type latest(os) AS os_name latest(version) AS version by sos_server

https://apps.splunk.com/app/748/

View solution in original post

Reply
Solved! Jump to solution

rameshyedurla
Explorer
‎01-22-2016 12:37 PM

I think this is what you are looking for:

index=_internal sourcetype=splunkd destPort!="-"| stats sparkline count by hostname, sourceHost, host, destPort, version | rename destPort as "Destination Port" | rename host as "Indexer" | rename sourceHost as "Forwarder IP" | rename version as "Splunk Forwarder Version" | rename hostname as "Forwarder Host Name" | rename sparkline as "Traffic Frequency" | sort - count

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-17-2016 06:45 AM

I used your solution to solve my question here.. Thanks for posting this!

https://answers.splunk.com/answers/379013/alert-if-a-forwarder-service-stops.html

Reply
Solved! Jump to solution

jeremiahc4
Builder
‎10-15-2014 12:48 PM

If you can't do SoS, then here's a simple search against the _internal index that works for me;

index=_internal sourcetype=splunkd version source=*metrics.log | table hostname os version build

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-15-2014 12:14 PM

This is part of what the SoS app uses to update its forwarders lookup file:

  index=_internal source=*metrics.log* group=tcpin_connections | regex hostname!="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | eval sos_server=hostname | stats latest(build) AS build latest(arch) AS cpu_arch latest(fwdType) AS forwarder_type latest(os) AS os_name latest(version) AS version by sos_server

https://apps.splunk.com/app/748/

Reply
Solved! Jump to solution

locose
Path Finder
‎10-15-2014 12:24 PM

Many thanks. That worked

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...