Hello,
I want to be able to customize searches on the data in the forwarder management page. It would seem that client phone-home status is being cached somewhere like in an index but I can't find it. I would like to be able to have more flexible filtering on what I see and the ability to sort it.
Thanks,
Sean
Look in the _internal
index. Here are some ideas to get you started...
Are apps being downloaded?
index=_internal component=DeployedApplication OR
component=PackageDownloadRestHandler sourcetype=splunkd
| table _time log_level host app message
Is the deployment client phoning home?
index=_internal (*phonehome* component=DC*) OR (component=DC:HandshakeReplyHandler)
| sort _time
| table _time host log_level message
Is the deployment server hearing the phone homes?
index=_internal metrics group=deploy-server sourcetype=splunkd
| timechart span=2m avg(nReceived) by host
Yes. According to forwarder management page. Also apps have been deployed as expected.
Did the client actually phone home?
Thanks again L. Understood. In this case, we recently added 28 of our first windows clients we're mostly splunking Linux. I see most phoning home fine within minutes in the clients page, but it doesn't look like the phone home events actually end up in the clients' splunkd.logs, I see other events relating to watched file monitors etc but nothing with regards to phone-homes. I was trying to access the same data the forwarder management is using to tell me that x-client has phoned home in the past minute, I take it that this either not indexed or not accessible. Thanks, Sean.
By default, all the forwarders should be sending their splunkd.log
files (and some others) to the splunk indexers - so you should be able to see things from the forwarder perspective as well as from the forwarder management server.
A search of
index=_internal sourcetype=splunkd | stats count by host
over the last hour should show many different hosts...
Thanks L. I was seeing some relevant events, but I am not finding anything on my deployment server in _internal which would correspond to the actual phone-home event and tie it to a client other than the splunkd_access logs which don't really have anything that useful or even easily extractable. I basically want to search and report similar to the "Clients" tab in forwarder management, but apply some more complex filters and sort the list. If it is not doable I understand.