Re: Unable to run certificate package version quer...

x3ncrypt · ‎05-03-2022

Unable to perform the following search provided by Splunk to check forwarder certificate package version:

index=_internal source=*metrics.log group=tcpout_connections

name=splunkcloud*

| stats latest(_time) AS _time latest(name) AS name by host

| rex field=name "(?<output_group>splunkcloud_202[23456789]\d+)\_"

| eval fwd_config=if(isnotnull(output_group),“new”,“legacy”)

| stats count by _time host output_group fwd_config

| reltime

| fields _time reltime host output_group fwd_config

| sort 0 fwd_config

x3ncrypt · ‎05-03-2022

No errors are displayed after running the search, yet I receive no returned results.

isoutamo · ‎05-04-2022

Hi

you are running this towards Splunk Cloud environment (UFs' send data to SC) and you haven't change output_group names from what they have provided with UF configuration packages?

One change what you can do is

index=_internal source=*metrics.log group=tcpout_connections name=splunkcloud*
| stats latest(_time) AS _time latest(name) AS name by host
| rex field=name "(?<output_group>splunkcloud_202[23456789]\d+)\_"
| eval fwd_config=if(isnotnull(output_group),"new","legacy")
| fillnull value="N/A" output_group
| stats count by _time host output_group fwd_config
| reltime 
| fields _time reltime host output_group fwd_config 
| sort 0 fwd_config

So update output_group name to "N/A" if it's null (shouldn't be) after fwd_config has set.

Have you gotten any events when you runs only 1st line?

r. Ismo

Why unable to run certificate package version query for forwarders?

rex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!