Getting Data In

How to export a list containing Host Name, Host IP, Apps, Server Class, and Machine Type for a Splunk server?

rbullard
Engager

My group is taking over operations for a Splunk server brought over from an acquisition. We are trying to get a handle on what the previous Splunk admins had set up.

We would like to export a list that has the following information:
Host Name
Host IP
Apps
Server Class
Machine Type

I haven't been able to find a config file or search pattern to produce those results. Any help is appreciated.

Thanks,
Rick

wrangler2x
Motivator

Hybrid of the above searches:

| rest /services/deployment/server/clients  splunk_server=local
| foreach applications.*.restartSplunkd [eval Apps=if(isnotnull('<<FIELD>>'), mvappend(Apps, "<<MATCHSTR>>"), Apps)]
| foreach serverClasses.*.restartSplunkd [eval ServerClasses=if(isnotnull('<<FIELD>>'), mvappend(ServerClasses, "<<MATCHSTR>>"), ServerClasses)]
| eval Forwarder = lower(dns)
| rex field=utsname "(?<os>[^\-]+)\-(?<arch>.+)"
| eval os = case(os == "linux", "Linux", os == "windows", "Windows", arch == "sun4u", "Solaris", arch == "sun4v", "Solaris")
| fields - utsname
| lookup version2build.csv build
| rename dns AS Forwarder, averagePhoneHomeInterval AS PHI
| stats values(Apps) AS Apps, values(ServerClasses) AS ServerClasses count by Forwarder ip os arch version build clientName splunk_server PHI lastPhoneHomeTime
| fieldformat lastPhoneHomeTime=strftime(lastPhoneHomeTime, "%F %T")
| eval missing=now()-lastPhoneHomeTime-PHI| eval missing=if(missing<0, 0, missing)
| eval Missing=case (missing==0, "No", missing==1, "Yes")
| fields - missing
| addtotals count col=t row=f
0 Karma

goelli
Communicator

Like somesoni2 already suggested you can use rest command on the DeploymentServer or any server which has the DeploymentServer as search-peer to access the REST endpoint /services/deployment/client. It provides all information about the connected clients.

I found this appoach a litlle more readable:

| rest /services/deployment/server/clients
| foreach applications.*.restartSplunkd [eval Apps=if(isnotnull('<<FIELD>>'), mvappend(Apps, "<<MATCHSTR>>"), Apps)]
| foreach serverClasses.*.restartSplunkd [eval ServerClasses=if(isnotnull('<<FIELD>>'), mvappend(ServerClasses, "<<MATCHSTR>>"), ServerClasses)]
| table hostname ip dns utsname clientName Apps ServerClasses averagePhoneHomeInterval lastPhoneHomeTime
| fieldformat lastPhoneHomeTime=strftime(lastPhoneHomeTime, "%F %T")
| eval missing=now()-lastPhoneHomeTime-averagePhoneHomeInterval | eval missing=if(missing<0, 0, missing)

somesoni2
SplunkTrust
SplunkTrust

Splunk REST API endpoints are here to help. Try something like this

| rest /services/deployment/server/clients | table dns ip utsname *.restartSplunkd | eval temp=dns."#".ip."#".utsname | table temp *.restartSplunkd | untable temp apps count | eval Apps=if(like(apps,"app%"),mvindex(split(apps,"."),1),null()) | eval ServerClass=if(like(apps,"server%"),mvindex(split(apps,"."),1),null() )| rex field=temp "(?<Host>.*)#(?<Host_IP>.*)#(?<Machine_Type>.*)" | table Host Host_IP Machine_Type Apps ServerClass | stats Values(*) as * by Host Host_IP Machine_Type

rbullard
Engager

Unfortunately that provides "No results". Maybe the previous admins did more extensive changes than I would have thought.

Taking your answer and attempting to find those "changes".

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try to run this query from the deployment server's Splunk Web.

0 Karma

jwiedow
Communicator

Thank you somesoni2. I had a similar request and this helped me out immensely. I updated your search slightly as follows and ran it on our DMC and the results are exactly what we are looking for.

| rest splunk_server_group=dmc_group_deployment_server /services/deployment/server/clients | eval hostname=lower(hostname) | eval lastphonehome=strftime(lastPhoneHomeTime,"%m/%d/%Y %H:%M:%S%z") | table splunk_server hostname dns ip utsname build name lastphonehome *.restartSplunkd | eval temp=splunk_server."#".hostname."#".dns."#".ip."#".utsname."#".build."#".name."#".lastphonehome | table temp *.restartSplunkd | untable temp apps count | eval Apps=if(like(apps,"app%"),mvindex(split(apps,"."),1),null()) | eval ServerClass=if(like(apps,"server%"),mvindex(split(apps,"."),1),null() )| rex field=temp "(?<SplunkDS>.*)#(?<Host>.*)#(?<FQDN>.*)#(?<Host_IP>.*)#(?<Machine_Type>.*)#(?<Build>.*)#(?<clientName>.*)#(?<Last_PhoneHome>.*)" | table SplunkDS Host FQDN Host_IP Machine_Type Build clientName Last_PhoneHome Apps ServerClass | stats Values(*) as * by SplunkDS Host FQDN Host_IP Machine_Type Build clientName Last_PhoneHome | sort +Host,+SplunkDS

It would be nice to see the DMC extended to include Deployment Server information instead of having to do this ourselves.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...