Forgive my newbieness - I've tried doing this with:
| metadata type=sourcetypes index="*"
but the output is difficult to interpret, let alone decipher for each thing that is sending data. Is there a way to just do a search to return a list like "Cisco Netflow devices = x, Windows server sources = y" with those numbers just being a sum of those types?
The reason I ask is that a lot of the data feeding into our systems now was done prior to my arriving on the scene, and to be honest, I have no idea of the total scope of devices reporting into Splunk. I'd just like to total up how many of each type there are and have it be readable.
Thanks in advance!
Michael
By "devices reporting to splunk" I take it you mean forwarders. If so, this search will show all the forwarders that have contacted the splunk indexer in a given time frame (use the drop-down menu to select, say, last 24 hours).
index=_internal source="/opt/splunk/var/log/splunk/metrics.log*" sourcetype="splunkd" fwdType="*" | dedup sourceHost|table sourceHost, hostname, fwdType, guid, os, arch
sourceHost host fwdType guid os arch
1 xxx.xxx.xx.28 SERV01 full A66CB486-6158-4E85-AFA5-D7EED69230F3 Windows x64
2 xxx.xxx.xx.81 MBSX full 656C9C0C-A7EA-4FE0-8890-CB3178026598 Windows x64
3 xxx.xxx.xx.80 CASIO2 full 728C36E5-3511-4449-9440-4244F84C85B8 Windows x64
6 xxx.xxx.xx.24 MBS444 full 41872E63-6FAB-4050-85CC-6EDC5FEA21A4 Windows x64
8 xxx.xxx.xx.185 logger full ECB32768-B062-47DC-B652-34D79B6B2B45 SunOS sun4v
guid is a unique id for each forwarder. You can modify the search to leave details out you don't need.
If you are running Deployment Monitor you'll have an index called summary_forwarders which would let you use this alternate search:
index="summary_forwarders" NOT sourceHost="127.0.0.1" | stats count by sourceHost sourceIp connectionType version build lastConnected | eval lastConnected=strftime(lastConnected,"%m/%d/%Y %H:%M:%S") | fields sourceHost sourceIp connectionType version build lastConnected | dedup 1 sourceHost sortby -lastConnected | eval sourceHost=lower(sourceHost) | sort sourceHost
Here is a sample of the output:
sourceHost sourceIp connectionType version build lastConnected
abs-acct.xyz.uci.edu xxx.xxx.141.250 heavy forwarder 6.1.4 233537 07/01/2015 14:59:59
abs-dc01.xyz.uci.edu xxx.xxx.140.110 heavy forwarder 6.1.4 233537 07/01/2015 14:59:59
abs-dc02.xyz.uci.edu xxx.xxx.219.220 heavy forwarder 6.1.4 233537 07/01/2015 14:59:59
acserver.mmd.uci.edu xxx.xxx.114.50 heavy forwarder 6.1.4 233537 07/01/2015 14:59:59
ad-saturn-db01 xxx.xxx.77.68 heavy forwarder 6.2.0 237341 07/01/2015 14:59:59
ad-docushare09 xxx.xxx.217.116 heavy forwarder 6.2.0 237341 07/01/2015 14:59:59
nessus xxx.xxx.140.3 heavy forwarder 5.0.2 149561 07/01/2015 14:59:59
ad-juno-db01 xxx.xxx.142.85 heavy forwarder 6.2.0 237341 07/01/2015 14:59:59
ticklab-prd xxx.xxx.109.135 heavy forwarder 6.2.0 237341 07/01/2015 14:59:59
cas2010 xxx.xxx.73.114 heavy forwarder 6.1.4 233537 07/01/2015 14:59:59
By "devices reporting to splunk" I take it you mean forwarders. If so, this search will show all the forwarders that have contacted the splunk indexer in a given time frame (use the drop-down menu to select, say, last 24 hours).
index=_internal source="/opt/splunk/var/log/splunk/metrics.log*" sourcetype="splunkd" fwdType="*" | dedup sourceHost|table sourceHost, hostname, fwdType, guid, os, arch
sourceHost host fwdType guid os arch
1 xxx.xxx.xx.28 SERV01 full A66CB486-6158-4E85-AFA5-D7EED69230F3 Windows x64
2 xxx.xxx.xx.81 MBSX full 656C9C0C-A7EA-4FE0-8890-CB3178026598 Windows x64
3 xxx.xxx.xx.80 CASIO2 full 728C36E5-3511-4449-9440-4244F84C85B8 Windows x64
6 xxx.xxx.xx.24 MBS444 full 41872E63-6FAB-4050-85CC-6EDC5FEA21A4 Windows x64
8 xxx.xxx.xx.185 logger full ECB32768-B062-47DC-B652-34D79B6B2B45 SunOS sun4v
guid is a unique id for each forwarder. You can modify the search to leave details out you don't need.
Completely and totally awesome, wrangler2x! That does exactly what I need. I wouldn't have even known where to look! Good thing I'm going to .conf next week! 🙂
Thanks again!
Also try this next one, below. 🙂