- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to view individual hops of data before it reac...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have got "heavy forwarders" and our client has got a Splunk Heavy forwarders at their side before they send to us.
So the path of flow is
Individual host (A) with UF => Heavy Forwarders (B) => Heavy Forwarders (C) => Indexers (D)
The hostname is coming as (A) in our indexers which is fair.
Is there any chance to get information of (B) and (C) (i.e. their hostname, properties etc.)? , i.e. "hops" data went through.
Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess, i found a field which seems very good and gives me the answer I was looking for sourcetype "splunkd" and source metrics.log
12-07-2015 13:41:36.790 +0000 INFO Metrics - group=tcpin_connections, 192.128.28.8:12345:8091, connectionType=cookedSSL, sourcePort=12345, sourceHost=192.128.28.8, sourceIp=192.128.28.8, destPort=8091, kb=7.25, _tcp_Bps=239.48, _tcp_KBps=0.23, _tcp_avg_thruput=0.29, _tcp_Kprocessed=95.17, _tcp_eps=0.13, _process_time_ms=1, evt_misc_kBps=0.00, evt_raw_kBps=0.19, evt_fields_kBps=0.00, evt_fn_kBps=0.00, evt_fv_kBps=0.00, evt_fn_str_kBps=0.00, evt_fn_meta_dyn_kBps=0.00, evt_fn_meta_predef_kBps=0.00, evt_fn_meta_str_kBps=0.00, evt_fv_num_kBps=0.00, evt_fv_str_kBps=0.00, evt_fv_predef_kBps=0.00, evt_fv_offlen_kBps=0.00, build=f3a51e4b37b2, version=6.3.1, os=Windows, arch=x64, hostname=myhost, guid=xxxxx-yyyy-42E7-9224-C9F88B90F400, fwdType=uf, ssl=true, lastIndexer=123.45.67.89:8091, ack=true
The key fields looking for are:
- lastIndexer
- fwdType
This way, we can identify the hops
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess, i found a field which seems very good and gives me the answer I was looking for sourcetype "splunkd" and source metrics.log
12-07-2015 13:41:36.790 +0000 INFO Metrics - group=tcpin_connections, 192.128.28.8:12345:8091, connectionType=cookedSSL, sourcePort=12345, sourceHost=192.128.28.8, sourceIp=192.128.28.8, destPort=8091, kb=7.25, _tcp_Bps=239.48, _tcp_KBps=0.23, _tcp_avg_thruput=0.29, _tcp_Kprocessed=95.17, _tcp_eps=0.13, _process_time_ms=1, evt_misc_kBps=0.00, evt_raw_kBps=0.19, evt_fields_kBps=0.00, evt_fn_kBps=0.00, evt_fv_kBps=0.00, evt_fn_str_kBps=0.00, evt_fn_meta_dyn_kBps=0.00, evt_fn_meta_predef_kBps=0.00, evt_fn_meta_str_kBps=0.00, evt_fv_num_kBps=0.00, evt_fv_str_kBps=0.00, evt_fv_predef_kBps=0.00, evt_fv_offlen_kBps=0.00, build=f3a51e4b37b2, version=6.3.1, os=Windows, arch=x64, hostname=myhost, guid=xxxxx-yyyy-42E7-9224-C9F88B90F400, fwdType=uf, ssl=true, lastIndexer=123.45.67.89:8091, ack=true
The key fields looking for are:
- lastIndexer
- fwdType
This way, we can identify the hops
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not easy to achieve this by using available logs. I guess you can make use of metrics.log in a way because metrics.log contains connection information from/to forwarders. I do not have example of search to achieve this.
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
