Getting Data In

Getting all forwarder names via a REST call

ddrillic
Ultra Champion

We created a monitoring dashboard (outside of Splunk) which relies on rest /services/deployment/server/clients to get the list of the forwarders in the system. I would expect this call to return the same list as the list within the serverclass.conf file but apparently these two are not compatible. Is there a way to make them compatible? meaning that this REST call would return exactly the list which serverclass.conf holds.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

You should be able to get list of whitelist servers using following query.

| rest /services/deployment/server/serverclasses | table title whitelist.* | untable title whitelist hostname | stats count by hostname | table hostname

You can put it to in a lookup file or just use the rest query itself and compare it against deployment/server/clients to know which clients that are configured in serverclass.conf but not sending phonehome. Something like this

| rest /services/deployment/server/serverclasses | table title whitelist.* | untable title whitelist hostname | stats count by hostname | table hostname | eval state="configured" | append [| rest /services/deployment/server/clients | table title | rename title as hostname | eval state="phonehome" ] | stats values(state) as state by hostname | where mvcount(state)=1 AND state="configured"

View solution in original post

wrangler2x
Motivator

Well, reading this allowed me to be to develop a REST search that can lookup the serverClasses associated with a particular host, which is handy-dandy when you get a decommissioned server notice. Here is the base search:

| rest /services/deployment/server/serverclasses splunk_server=local
| table title whitelist.*
| untable title whitelist hostname
| stats values(title) AS serverClasses count by hostname

The base search gives you a list of all hosts and the serverClasses associated with them. To look for a particular host, add this final line:

| search hostname=FQDNofSomeHost

I wanted to create a dashboard out of this, and so the search looks like this:

 <searchTemplate>
| rest /services/deployment/server/serverclasses splunk_server=local
| table title whitelist.*
| untable title whitelist hostname
| stats values(title) AS serverClasses count by hostname
| search hostname = $HOSTNAME$
</searchTemplate>

With a fieldset clause next:

<input type="text" token="HOSTNAME" searchWhenChanged="true"></input>
<input type="time" searchWhenChanged="true">
  <default>Today</default>
</input>

You can use * as a wildcard to search for all hosts, or as the end of a partial host name.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You should be able to get list of whitelist servers using following query.

| rest /services/deployment/server/serverclasses | table title whitelist.* | untable title whitelist hostname | stats count by hostname | table hostname

You can put it to in a lookup file or just use the rest query itself and compare it against deployment/server/clients to know which clients that are configured in serverclass.conf but not sending phonehome. Something like this

| rest /services/deployment/server/serverclasses | table title whitelist.* | untable title whitelist hostname | stats count by hostname | table hostname | eval state="configured" | append [| rest /services/deployment/server/clients | table title | rename title as hostname | eval state="phonehome" ] | stats values(state) as state by hostname | where mvcount(state)=1 AND state="configured"

ddrillic
Ultra Champion

You are truly amazing - can you please convert it to an answer?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The REST Api endpoint will give list of client which are phoning home to deployment server. The serverclass.conf file can have many clients which are not connecting to deployment server and/or have wildcarded server names so there many not be one-to-one mapping available. What is you concern on using just the output of REST endpoint?

ddrillic
Ultra Champion

The thing is that we reach situations where forwarders are down for some time and the rest call doesn't list these servers, so they can end up being down for a couple of weeks. We also make a good effort to maintain our serverclass.conf file. So, it is the single source of truth for us about the host inventory. It's interesting as we don't use wildcards when we specify the whitelists. Should I create a lookup table based on the serverclass.conf file and check each entry by itself to see whether it's phoning home?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...