Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why unable to run certificate package version query for forwarders?

x3ncrypt
Loves-to-Learn Everything
‎05-03-2022 05:29 PM

Unable to perform the following search provided by Splunk to check forwarder certificate package version:

index=_internal source=*metrics.log group=tcpout_connections

name=splunkcloud*

| stats latest(_time) AS _time latest(name) AS name by host

| rex field=name "(?<output_group>splunkcloud_202[23456789]\d+)\_"

| eval fwd_config=if(isnotnull(output_group),“new”,“legacy”)

| stats count by _time host output_group fwd_config

| reltime

| fields _time reltime host output_group fwd_config

| sort 0 fwd_config

Labels (1)
Labels
Tags (2)
0 Karma
Reply

x3ncrypt
Loves-to-Learn Everything
‎05-03-2022 05:30 PM

No errors are displayed after running the search, yet I receive no returned results.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-04-2022 01:59 AM

Hi

you are running this towards Splunk Cloud environment (UFs' send data to SC) and you haven't change output_group names from what they have provided with UF configuration packages?

One change what you can do is 

 

index=_internal source=*metrics.log group=tcpout_connections name=splunkcloud*
| stats latest(_time) AS _time latest(name) AS name by host
| rex field=name "(?<output_group>splunkcloud_202[23456789]\d+)\_"
| eval fwd_config=if(isnotnull(output_group),"new","legacy")
| fillnull value="N/A" output_group
| stats count by _time host output_group fwd_config
| reltime 
| fields _time reltime host output_group fwd_config 
| sort 0 fwd_config

 

So update output_group name to "N/A" if it's null (shouldn't be) after fwd_config  has set.

Have you gotten any events when you runs only 1st line?

r. Ismo

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...