Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the easiest way to identify my universal forwarder versions

conner9
Path Finder
‎07-02-2014 03:44 PM

I'm looking for a search that will let me check what forwarder revisions are installed on individual machines.

Anyone know of one?

Thanks,

Reply
1 Solution
Solved! Jump to solution
Solution

kscher
Path Finder
‎07-02-2014 07:34 PM

I lifted this from somewhere - might have been SoS. It's got cosmetics you probably don't need and it returns data for all types of forwarders, not just UFs. Anyhow, here it is:

index="_internal" source="*metrics.lo*" group=tcpin_connections | dedup guid| eval sourceHost=if(isnull(hostname), sourceHost,hostname) | eval connectionType=case(fwdType=="uf","universal forwarder", fwdType=="lwf", "lightweight forwarder",fwdType=="full", "heavy forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk forwarder", connectionType=="raw" or connectionType=="rawSSL","legacy forwarder")| eval build=if(isnull(build),"n/a",build) | eval version=if(isnull(version),"pre 4.2",version) | eval guid=if(isnull(guid),sourceHost,guid) | eval os=if(isnull(os),"n/a",os)| eval arch=if(isnull(arch),"n/a",arch) | table sourceHost connectionType sourceIp sourceHost ssl ack build version os arch guid

View solution in original post

Reply
Solved! Jump to solution
Solution

kscher
Path Finder
‎07-02-2014 07:34 PM

I lifted this from somewhere - might have been SoS. It's got cosmetics you probably don't need and it returns data for all types of forwarders, not just UFs. Anyhow, here it is:

index="_internal" source="*metrics.lo*" group=tcpin_connections | dedup guid| eval sourceHost=if(isnull(hostname), sourceHost,hostname) | eval connectionType=case(fwdType=="uf","universal forwarder", fwdType=="lwf", "lightweight forwarder",fwdType=="full", "heavy forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk forwarder", connectionType=="raw" or connectionType=="rawSSL","legacy forwarder")| eval build=if(isnull(build),"n/a",build) | eval version=if(isnull(version),"pre 4.2",version) | eval guid=if(isnull(guid),sourceHost,guid) | eval os=if(isnull(os),"n/a",os)| eval arch=if(isnull(arch),"n/a",arch) | table sourceHost connectionType sourceIp sourceHost ssl ack build version os arch guid
Reply
Solved! Jump to solution

murphy2400
New Member
‎01-06-2020 06:33 AM

Thanks. Needed a quick search and this still works in 8.0.1

0 Karma
Reply
Solved! Jump to solution

conner9
Path Finder
‎08-15-2014 12:10 PM

This was exactly what I was looking for.

Thank you

Reply
Solved! Jump to solution

dshpritz
SplunkTrust
SplunkTrust
‎07-03-2014 06:23 AM

I think this is from Deployment Monitor

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-02-2014 04:07 PM

The easiest way would be to install the SoS app: http://apps.splunk.com/app/748/
That already comes with searches to pry the info from Splunk's logs.

Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...