Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why unable to run certificate package version query for forwarders?

x3ncrypt
Loves-to-Learn Everything
‎05-03-2022 05:29 PM

Unable to perform the following search provided by Splunk to check forwarder certificate package version:

index=_internal source=*metrics.log group=tcpout_connections

name=splunkcloud*

| stats latest(_time) AS _time latest(name) AS name by host

| rex field=name "(?<output_group>splunkcloud_202[23456789]\d+)\_"

| eval fwd_config=if(isnotnull(output_group),“new”,“legacy”)

| stats count by _time host output_group fwd_config

| reltime

| fields _time reltime host output_group fwd_config

| sort 0 fwd_config

Labels (1)
Labels
Tags (2)
0 Karma
Reply

x3ncrypt
Loves-to-Learn Everything
‎05-03-2022 05:30 PM

No errors are displayed after running the search, yet I receive no returned results.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-04-2022 01:59 AM

Hi

you are running this towards Splunk Cloud environment (UFs' send data to SC) and you haven't change output_group names from what they have provided with UF configuration packages?

One change what you can do is 

 

index=_internal source=*metrics.log group=tcpout_connections name=splunkcloud*
| stats latest(_time) AS _time latest(name) AS name by host
| rex field=name "(?<output_group>splunkcloud_202[23456789]\d+)\_"
| eval fwd_config=if(isnotnull(output_group),"new","legacy")
| fillnull value="N/A" output_group
| stats count by _time host output_group fwd_config
| reltime 
| fields _time reltime host output_group fwd_config 
| sort 0 fwd_config

 

So update output_group name to "N/A" if it's null (shouldn't be) after fwd_config  has set.

Have you gotten any events when you runs only 1st line?

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
li.common.scroll-to.top