Deployment Architecture

Is forwarder management data indexed?

chanfoli
Builder

Hello,

I want to be able to customize searches on the data in the forwarder management page. It would seem that client phone-home status is being cached somewhere like in an index but I can't find it. I would like to be able to have more flexible filtering on what I see and the ability to sort it.

Thanks,
Sean

Tags (1)
0 Karma

lguinn2
Legend

Look in the _internal index. Here are some ideas to get you started...

Are apps being downloaded?

index=_internal component=DeployedApplication OR 
      component=PackageDownloadRestHandler  sourcetype=splunkd 
| table _time log_level host app message

Is the deployment client phoning home?

index=_internal (*phonehome* component=DC*) OR (component=DC:HandshakeReplyHandler)
| sort _time
| table _time host log_level message

Is the deployment server hearing the phone homes?

index=_internal metrics group=deploy-server sourcetype=splunkd 
| timechart span=2m avg(nReceived) by host

chanfoli
Builder

Yes. According to forwarder management page. Also apps have been deployed as expected.

0 Karma

lguinn2
Legend

Did the client actually phone home?

0 Karma

chanfoli
Builder

Thanks again L. Understood. In this case, we recently added 28 of our first windows clients we're mostly splunking Linux. I see most phoning home fine within minutes in the clients page, but it doesn't look like the phone home events actually end up in the clients' splunkd.logs, I see other events relating to watched file monitors etc but nothing with regards to phone-homes. I was trying to access the same data the forwarder management is using to tell me that x-client has phoned home in the past minute, I take it that this either not indexed or not accessible. Thanks, Sean.

0 Karma

lguinn2
Legend

By default, all the forwarders should be sending their splunkd.log files (and some others) to the splunk indexers - so you should be able to see things from the forwarder perspective as well as from the forwarder management server.

A search of

index=_internal sourcetype=splunkd | stats count by host

over the last hour should show many different hosts...

0 Karma

chanfoli
Builder

Thanks L. I was seeing some relevant events, but I am not finding anything on my deployment server in _internal which would correspond to the actual phone-home event and tie it to a client other than the splunkd_access logs which don't really have anything that useful or even easily extractable. I basically want to search and report similar to the "Clients" tab in forwarder management, but apply some more complex filters and sort the list. If it is not doable I understand.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...