Does anyone know how to generally quantify within a report or otherwise whether or not a system with an OS of any type is communicating with Splunk? I am sure that routers will be involved with my quest as well.
Thanks in advance.
index=_internal component=HttpPubSubConnection | table host | dedup host | sort host
index=_internal component=Metrics group=tcpin_connections
Those logs contain version and OS info. Slice and dice with stats
as needed.
EDIT: Something like this, where _time will be the last time it logged:
EDIT EDIT: changed host
to hostname
(duh)
index=_internal component=Metrics group=tcpin_connections | stats latest(_time) as _time latest(build) as Build latest(version) as SplunkVersion latest(os) as OS latest(fwdType) as SplunkType values(lastIndexer) as Indexers by hostname