My group is taking over operations for a Splunk server brought over from an acquisition. We are trying to get a handle on what the previous Splunk admins had set up.
We would like to export a list that has the following information:
Host Name
Host IP
Apps
Server Class
Machine Type
I haven't been able to find a config file or search pattern to produce those results. Any help is appreciated.
Thanks,
Rick
Hybrid of the above searches:
| rest /services/deployment/server/clients splunk_server=local
| foreach applications.*.restartSplunkd [eval Apps=if(isnotnull('<<FIELD>>'), mvappend(Apps, "<<MATCHSTR>>"), Apps)]
| foreach serverClasses.*.restartSplunkd [eval ServerClasses=if(isnotnull('<<FIELD>>'), mvappend(ServerClasses, "<<MATCHSTR>>"), ServerClasses)]
| eval Forwarder = lower(dns)
| rex field=utsname "(?<os>[^\-]+)\-(?<arch>.+)"
| eval os = case(os == "linux", "Linux", os == "windows", "Windows", arch == "sun4u", "Solaris", arch == "sun4v", "Solaris")
| fields - utsname
| lookup version2build.csv build
| rename dns AS Forwarder, averagePhoneHomeInterval AS PHI
| stats values(Apps) AS Apps, values(ServerClasses) AS ServerClasses count by Forwarder ip os arch version build clientName splunk_server PHI lastPhoneHomeTime
| fieldformat lastPhoneHomeTime=strftime(lastPhoneHomeTime, "%F %T")
| eval missing=now()-lastPhoneHomeTime-PHI| eval missing=if(missing<0, 0, missing)
| eval Missing=case (missing==0, "No", missing==1, "Yes")
| fields - missing
| addtotals count col=t row=f
Like somesoni2 already suggested you can use rest command on the DeploymentServer or any server which has the DeploymentServer as search-peer to access the REST endpoint /services/deployment/client. It provides all information about the connected clients.
I found this appoach a litlle more readable:
| rest /services/deployment/server/clients
| foreach applications.*.restartSplunkd [eval Apps=if(isnotnull('<<FIELD>>'), mvappend(Apps, "<<MATCHSTR>>"), Apps)]
| foreach serverClasses.*.restartSplunkd [eval ServerClasses=if(isnotnull('<<FIELD>>'), mvappend(ServerClasses, "<<MATCHSTR>>"), ServerClasses)]
| table hostname ip dns utsname clientName Apps ServerClasses averagePhoneHomeInterval lastPhoneHomeTime
| fieldformat lastPhoneHomeTime=strftime(lastPhoneHomeTime, "%F %T")
| eval missing=now()-lastPhoneHomeTime-averagePhoneHomeInterval | eval missing=if(missing<0, 0, missing)
Splunk REST API endpoints are here to help. Try something like this
| rest /services/deployment/server/clients | table dns ip utsname *.restartSplunkd | eval temp=dns."#".ip."#".utsname | table temp *.restartSplunkd | untable temp apps count | eval Apps=if(like(apps,"app%"),mvindex(split(apps,"."),1),null()) | eval ServerClass=if(like(apps,"server%"),mvindex(split(apps,"."),1),null() )| rex field=temp "(?<Host>.*)#(?<Host_IP>.*)#(?<Machine_Type>.*)" | table Host Host_IP Machine_Type Apps ServerClass | stats Values(*) as * by Host Host_IP Machine_Type
Unfortunately that provides "No results". Maybe the previous admins did more extensive changes than I would have thought.
Taking your answer and attempting to find those "changes".
Try to run this query from the deployment server's Splunk Web.
Thank you somesoni2. I had a similar request and this helped me out immensely. I updated your search slightly as follows and ran it on our DMC and the results are exactly what we are looking for.
| rest splunk_server_group=dmc_group_deployment_server /services/deployment/server/clients | eval hostname=lower(hostname) | eval lastphonehome=strftime(lastPhoneHomeTime,"%m/%d/%Y %H:%M:%S%z") | table splunk_server hostname dns ip utsname build name lastphonehome *.restartSplunkd | eval temp=splunk_server."#".hostname."#".dns."#".ip."#".utsname."#".build."#".name."#".lastphonehome | table temp *.restartSplunkd | untable temp apps count | eval Apps=if(like(apps,"app%"),mvindex(split(apps,"."),1),null()) | eval ServerClass=if(like(apps,"server%"),mvindex(split(apps,"."),1),null() )| rex field=temp "(?<SplunkDS>.*)#(?<Host>.*)#(?<FQDN>.*)#(?<Host_IP>.*)#(?<Machine_Type>.*)#(?<Build>.*)#(?<clientName>.*)#(?<Last_PhoneHome>.*)" | table SplunkDS Host FQDN Host_IP Machine_Type Build clientName Last_PhoneHome Apps ServerClass | stats Values(*) as * by SplunkDS Host FQDN Host_IP Machine_Type Build clientName Last_PhoneHome | sort +Host,+SplunkDS
It would be nice to see the DMC extended to include Deployment Server information instead of having to do this ourselves.