Getting Data In

How to extract list of hosts into a lookup and setup daily alert for any changes?

splunkn
Communicator
  1. How do I extract what are all the universal forwarders (deployment clients) contacting the deployment server?
  2. I want to maintain the total hosts(from step1) in a lookup and compare with the hosts today(24hours) and need an alert for the following things a. if new host is coming (not in lookup) b. if the configured host is not coming (present in lookup not in the alternate)

Any best way to do??
Thanks in advance

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You can get a list of deployment clients like this:

| rest /services/deployment/server/clients

Using that you can build a scheduled search using outputlookup to keep that list up to date, as well as an alert looking for new deployment clients (consider including first seen / last seen timestamps in the lookup) and an alert looking for deployment clients not sending any data.

martin_mueller
SplunkTrust
SplunkTrust

Just paste that into your Splunk search bar on the Deployment Server and hit the search button.

http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/rest

0 Karma

splunkn
Communicator

Martin could you explain this in more detail as im new to splunk. how to get the clients list using the above rest API

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this.

1) Get List of current forwarders.

|metadata type=hosts index=* | table host 

This may give all forwarders sending data, including search heads , so exclude them accordingly. You can export it as CSV and created lookup table file OR use the outputlookup command.

2) Once the lookup file is created (say forwarders.csv), use the following for your alert.

|metasearch index=* | stats count by host | eval type="current" | table host, type | append [|inputlookup forwarders.csv | eval type="existing"] | stats values(type) as type by host | where mvcount(type) =1 | eval reason=if(type="current","New Host","Missing Host") | table host reason

Set the alert to fire if there are any events returned from above.

0 Karma

splunkn
Communicator

many thanks soni. but the above search took time if we provide index=. Initially I tried to extract with _internal index only. it works. but many uf are not sending to _internal so I need to put index=. Any ideas??

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...