Find rogue splunk servers

omgwut56k · ‎05-22-2015

I have a list of computers running splunkweb , I am trying to remove results that are logging to the _internal index which would indicate the servers are part of our main infrastructure.

How can I filter out hosts that have reported to events to the _internal index?

MuS · ‎05-24-2015

Hi omgwut56k,

if I get you correct, you wants to stop or reconfigure some search heads and have them stop forwarding their _internal index - right?

There are a few things you should keep in mind tough:

it is not a good practice not to forward the _internal, since it makes troubleshooting much more complicated.
What is your intension to do so? If it's about the data amount send, then rather fix any problem on that search head than stop forwarding.
If your concern is about license; _internal does not count on the license and has a default retention of 30 days.

But back to your question; this is pretty easy, login to any search head that has all your indexers are search peer and run:

index=_internal | stats count by host

This will get a table of all splunk server sending their _internal events to the indexer.

Hope that helps ...

cheers, MuS

woodcock · ‎05-23-2015

Do you perhaps mean main instead of _index?

woodcock · ‎05-22-2015

I do not understand; all Splunk servers should log to _index. That is kind of the entire point.

Find rogue splunk servers

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life