Getting Data In

App to monitor forwarder -> indexer connection?

muebel
SplunkTrust
SplunkTrust

Is there an app or collection of saved searches anybody has that would monitor and graph out all parts of the TCP connection setup between a splunk forwarder and indexer? Does anybody have any favorite searches used on the metrics.log?

1 Solution

Genti
Splunk Employee
Splunk Employee

here's a few of them, credits go to Simeon:
Which IP addresses are connecting to Splunk as inputs and how many times is it logged in metrics.log?

index=_internal source=metrics.log tcpin_connections | stats count by sourceIp

Where is Splunk trying to forward data to?

index=_internal source=metrics.log destHost | dedup destHost

What output queues are setup?

index=_internal source=metrics.log group=queue tcpout | stats count by name

What hosts (not forwarder/tcp inputs) have logged an event to splunk in the last 10 minutes (includes rangemap

| metadata type=hosts index=netops | eval diff=now()-recentTime | where diff < 600 | convert ctime(*Time) | stats count | rangemap field=count low=800-2000 elevated=100-799 high=50-99 sever=0-49

View solution in original post

Simeon
Splunk Employee
Splunk Employee

Genti's answer is great for searching... However, there is a "deployment monitor" app that is embedded in the Splunk 4.2.x product line.

0 Karma

Genti
Splunk Employee
Splunk Employee

here's a few of them, credits go to Simeon:
Which IP addresses are connecting to Splunk as inputs and how many times is it logged in metrics.log?

index=_internal source=metrics.log tcpin_connections | stats count by sourceIp

Where is Splunk trying to forward data to?

index=_internal source=metrics.log destHost | dedup destHost

What output queues are setup?

index=_internal source=metrics.log group=queue tcpout | stats count by name

What hosts (not forwarder/tcp inputs) have logged an event to splunk in the last 10 minutes (includes rangemap

| metadata type=hosts index=netops | eval diff=now()-recentTime | where diff < 600 | convert ctime(*Time) | stats count | rangemap field=count low=800-2000 elevated=100-799 high=50-99 sever=0-49

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...