Any best way to do??
Thanks in advance
You can get a list of deployment clients like this:
| rest /services/deployment/server/clients
Using that you can build a scheduled search using outputlookup
to keep that list up to date, as well as an alert looking for new deployment clients (consider including first seen / last seen timestamps in the lookup) and an alert looking for deployment clients not sending any data.
Just paste that into your Splunk search bar on the Deployment Server and hit the search button.
http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/rest
Martin could you explain this in more detail as im new to splunk. how to get the clients list using the above rest API
Try this.
1) Get List of current forwarders.
|metadata type=hosts index=* | table host
This may give all forwarders sending data, including search heads , so exclude them accordingly. You can export it as CSV and created lookup table file OR use the outputlookup command.
2) Once the lookup file is created (say forwarders.csv), use the following for your alert.
|metasearch index=* | stats count by host | eval type="current" | table host, type | append [|inputlookup forwarders.csv | eval type="existing"] | stats values(type) as type by host | where mvcount(type) =1 | eval reason=if(type="current","New Host","Missing Host") | table host reason
Set the alert to fire if there are any events returned from above.
many thanks soni. but the above search took time if we provide index=. Initially I tried to extract with _internal index only. it works. but many uf are not sending to _internal so I need to put index=. Any ideas??