Splunk Search

How to get Splunk machine configurations in a search result such as operating systems and versions?


Hello All,

How can we get machine configuration from a Splunk search? I am trying the search below. Here we are able to get OS information, but in Windows, we have server types like Windows 2003/2008/2012 and we haven't been able to find this.


index=_internal source=*metrics.log group=tcpin_connections | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | dedup sourceHost | table sourceHost sourceIP os version | sort version

Can any one help me on this?


0 Karma

| rest /services/deployment/server/clients  splunk_server=local
| foreach applications.*.restartSplunkd [eval Apps=if(isnotnull('<<FIELD>>'), mvappend(Apps, "<<MATCHSTR>>"), Apps)]
| foreach serverClasses.*.restartSplunkd [eval ServerClasses=if(isnotnull('<<FIELD>>'), mvappend(ServerClasses, "<<MATCHSTR>>"), ServerClasses)]
| eval Forwarder = lower(dns)
| rex field=utsname "(?<os>[^\-]+)\-(?<arch>.+)"
| eval os = case(os == "linux", "Linux", os == "windows", "Windows", arch == "sun4u", "Solaris", arch == "sun4v", "Solaris")
| fields - utsname
| lookup version2build.csv build
| rename dns AS Forwarder, averagePhoneHomeInterval AS PHI
| stats values(Apps) AS Apps, values(ServerClasses) AS ServerClasses count by Forwarder ip os arch version build clientName splunk_server PHI lastPhoneHomeTime
| fieldformat lastPhoneHomeTime=strftime(lastPhoneHomeTime, "%F %T")
| eval missing=now()-lastPhoneHomeTime-PHI | eval missing=if(missing<0, 0, missing)
| eval Missing=case (missing==0, "No", missing==1, "Yes")
| fields - missing
| addtotals count col=t row=f

If you see that Apps and ServerClass for a system to be blank, it means it is not in your configs on the Deployment Server but the system has a forwarder that is connecting to your indexer (as long as Missing is "No" that is).

0 Karma


If the REST API doesn't give you what you want, you could very easily write a scripted input and deploy it via the deployment server to your forwarders. You would probably want two different apps - one for Linux forwarders and one for Windows forwarders.

The one for Windows might be a batch script that looks something like this:


Of course, you will need an inputs.conf stanza for your scripted input. Here is the documentation.

0 Karma


I am assuming you are using a deployment server and Splunk 6.2 or higher. The information you want is available via the REST API. You will need to run this from the DMC (Distributed Management Console or Locally from the Deployment server if you want to use search.

| rest  /services/deployment/server/clients | fields - applications*, serverClasses*


 | rest splunk_server=<splunk_deployment_server> /services/deployment/server/clients | fields - applications*, serverClasses*
0 Karma


Hello bmacias,

Thanks for search query, we are running in 6.1.8, and when i ran above query in deployment server did not found windows details, its only have information regarding 32 or 64 bit, could you please guide me here? how will get information on which machine? (like windows server 2003/2008/2012)


0 Karma


If you need additional detail the windows_ta should have inputs to collect host, os version, patches, etc. Unless you have an app or class which is only deployed to each type of windows server, then you could use an eval. Basically what @lguinn stated.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>