Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Universal Forwarder Phone Home Via Intermediate Forwarder

JselbyELC
New Member
‎01-25-2019 06:32 AM

Hi All,

I'm currently using a query on a dashboard that is showing Splunk Machines that are online,
index="_internal" services/broker/phonehome/connection | stats count by host (for the past 15 minutes)

My problem is half of my machines sit behind a firewall and send their data via an intermediate forwarder.

Diagram Bellow (Security Team wouldn't sign off the solution unless i followed this approach)

alt text

I cannot show the status of these endpoints using the same method as the host value for data in the internal index has the forwarder's hostname rather than the actual endpoint.

Has anyone found a way around this?

Thanks

Josh

Tags (1)
Preview file
27 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-25-2019 08:29 AM

Try this:

index="_internal" services/broker/phonehome/connection 
| rex field=uri "8089_(?P<client>.+?)_" | stats count by client

It will give you a DNS name when it has one, or failing that an IP if it cant be resolved.

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-25-2019 02:13 PM

You should not "make it work" the way that it is. You should correct your forwarding so that the intermediate forwarder is NOT listead as host. This is not difficult and there are many articles and approaches on how to do host override.

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎01-25-2019 08:29 AM

Try this:

index="_internal" services/broker/phonehome/connection 
| rex field=uri "8089_(?P<client>.+?)_" | stats count by client

It will give you a DNS name when it has one, or failing that an IP if it cant be resolved.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

JselbyELC
New Member
‎02-05-2019 11:01 AM

Thank you for your help the query was very helpful, i managed to fix my Hostname problem after restarting the splunk server a couple of times!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...