| rest /services/deployment/server/clients splunk_server=local
| foreach applications.*.restartSplunkd [eval Apps=if(isnotnull('<<FIELD>>'), mvappend(Apps, "<<MATCHSTR>>"), Apps)]
| foreach serverClasses.*.restartSplunkd [eval ServerClasses=if(isnotnull('<<FIELD>>'), mvappend(ServerClasses, "<<MATCHSTR>>"), ServerClasses)]
| eval Forwarder = lower(dns)
| rex field=utsname "(?<os>[^\-]+)\-(?<arch>.+)"
| eval os = case(os == "linux", "Linux", os == "windows", "Windows", arch == "sun4u", "Solaris", arch == "sun4v", "Solaris")
| fields - utsname
| lookup version2build.csv build
| rename dns AS Forwarder, averagePhoneHomeInterval AS PHI
| stats values(Apps) AS Apps, values(ServerClasses) AS ServerClasses count by Forwarder ip os arch version build clientName splunk_server PHI lastPhoneHomeTime
| fieldformat lastPhoneHomeTime=strftime(lastPhoneHomeTime, "%F %T")
| eval missing=now()-lastPhoneHomeTime-PHI | eval missing=if(missing<0, 0, missing)
| eval Missing=case (missing==0, "No", missing==1, "Yes")
| fields - missing
| addtotals count col=t row=f
If you see that Apps and ServerClass for a system to be blank, it means it is not in your configs on the Deployment Server but the system has a forwarder that is connecting to your indexer (as long as Missing is "No" that is).
... View more