Splunk Search

Find where a forwarder is forwarding too

AaronMoorcroft
Communicator

Hey Guys

I have multiple DMZs with forwarders all over the places that send to specific main forwarders if you like and then onto the indexer, is there a search that anyone knows of that I can run on a host to tell me where that device is set to forward too, I have a few boxs I need to jump on but its would be better if I can run a search as to jumping through hoops to log onto the actual device its self.

Thanks

Aaron

Tags (2)
0 Karma

MuS
Legend

Hi AaronMoorcroft

assuming your forwarders are forwarding their _internal index, you can use the following search to find the tcpout connection targets for all forwarders:

index=_internal source=*metrics.log* group=tcpout_connections | chart values(destIp) by host

hope this helps...

cheers, MuS

MuS
Legend

as I said, you need to have the forwarders _internal available. Another way would be to use the REST endpoint /data/outputs/tcp/ but again, this must be done against each forwarder. I would suggest to enable _internal forwarding this would also help in any case of troubleshooting future issues.

0 Karma

AaronMoorcroft
Communicator

That does seem to bring a few up with the expected results but by no means all, do you have any further advice ?

0 Karma

sowings
Splunk Employee
Splunk Employee

This approach might work even if only the intermediate forwarders are sending their _internal index events; you'd see incoming connections from the various forwarders in the metrics.log.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...