Hi All,
I'm currently using a query on a dashboard that is showing Splunk Machines that are online,
index="_internal" services/broker/phonehome/connection | stats count by host (for the past 15 minutes)
My problem is half of my machines sit behind a firewall and send their data via an intermediate forwarder.
Diagram Bellow (Security Team wouldn't sign off the solution unless i followed this approach)
I cannot show the status of these endpoints using the same method as the host value for data in the internal index has the forwarder's hostname rather than the actual endpoint.
Has anyone found a way around this?
Thanks
Josh
... View more