Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What search query can I use on my search head to list all forwarder hosts and their associated Splunk forwarder versions?

locose
Path Finder
‎10-15-2014 12:06 PM

Greetings

Is there a query that I can use on my search head to list all my forwarder hosts and their associated splunk forwarder versions

Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-15-2014 12:14 PM

This is part of what the SoS app uses to update its forwarders lookup file:

  index=_internal source=*metrics.log* group=tcpin_connections | regex hostname!="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | eval sos_server=hostname | stats latest(build) AS build latest(arch) AS cpu_arch latest(fwdType) AS forwarder_type latest(os) AS os_name latest(version) AS version by sos_server

https://apps.splunk.com/app/748/

View solution in original post

Reply
Solved! Jump to solution

rameshyedurla
Explorer
‎01-22-2016 12:37 PM

I think this is what you are looking for:

index=_internal sourcetype=splunkd destPort!="-"| stats sparkline count by hostname, sourceHost, host, destPort, version | rename destPort as "Destination Port" | rename host as "Indexer" | rename sourceHost as "Forwarder IP" | rename version as "Splunk Forwarder Version" | rename hostname as "Forwarder Host Name" | rename sparkline as "Traffic Frequency" | sort - count

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-17-2016 06:45 AM

I used your solution to solve my question here.. Thanks for posting this!

https://answers.splunk.com/answers/379013/alert-if-a-forwarder-service-stops.html

Reply
Solved! Jump to solution

jeremiahc4
Builder
‎10-15-2014 12:48 PM

If you can't do SoS, then here's a simple search against the _internal index that works for me;

index=_internal sourcetype=splunkd version source=*metrics.log | table hostname os version build

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎10-15-2014 12:14 PM

This is part of what the SoS app uses to update its forwarders lookup file:

  index=_internal source=*metrics.log* group=tcpin_connections | regex hostname!="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | eval sos_server=hostname | stats latest(build) AS build latest(arch) AS cpu_arch latest(fwdType) AS forwarder_type latest(os) AS os_name latest(version) AS version by sos_server

https://apps.splunk.com/app/748/

Reply
Solved! Jump to solution

locose
Path Finder
‎10-15-2014 12:24 PM

Many thanks. That worked

0 Karma
Reply
Get Updates on the Splunk Community!

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

Splunk New Course Releases for a Changing World

Every day, the world feels like it’s moving faster with new technological breakthroughs, AI innovation, and ...