Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a search to figure out which forwarder has which app?

nebel
Communicator
‎08-29-2012 02:52 AM

Hi,

I have a lot of forwarders. I want to make sure that the forwarders got the right app.
I did some searches but could not find anything related to my request.

Is there a Splunk search which shows a list with all forwarders and the installed app?

Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-29-2012 03:48 AM

Each forwarder writes to it's splunkd.log under the DeployedApplication component, something like;

07-21-2012 12:01:22.267 +0300 INFO  DeployedApplication - Refreshed app: WinEvtSec for service class: AppsByMachineType from archive: C:\Program Files\SplunkUniversalForwarder\var\run\AppsByMachineType\WinEvtSec-1306487137.bundle

If you've forwarded the splunkd.log from the forwarder to the indexer, it should be found in the _internal index. Try searching for

index=_internal DeployedApplication | rex "\sapp:\s(?<DepApp>\S+)\s" | stats values(DepApp) by host

Hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution

ziegfried
Influencer
‎08-29-2012 04:00 AM

You can find information about which forwarder downloaded a deployment app in Splunkd's access log on the deployment server:

index=_internal sourcetype="splunkd_access" uri_path=/services/streams/deployment | rex field=name ":(?<serverClass>.+?):(?<app>.+)" | table _time clientip serverClass app
Reply
Solved! Jump to solution

nebel
Communicator
‎08-29-2012 05:05 AM

thank you as well! it worked also, but there was just one chance to give it a green tick, sorry but thank you!

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-29-2012 03:48 AM

Each forwarder writes to it's splunkd.log under the DeployedApplication component, something like;

07-21-2012 12:01:22.267 +0300 INFO  DeployedApplication - Refreshed app: WinEvtSec for service class: AppsByMachineType from archive: C:\Program Files\SplunkUniversalForwarder\var\run\AppsByMachineType\WinEvtSec-1306487137.bundle

If you've forwarded the splunkd.log from the forwarder to the indexer, it should be found in the _internal index. Try searching for

index=_internal DeployedApplication | rex "\sapp:\s(?<DepApp>\S+)\s" | stats values(DepApp) by host

Hope this helps,

Kristian

Reply
Solved! Jump to solution

nebel
Communicator
‎08-29-2012 05:05 AM

thank you very much, that worked great for my case! 🙂

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎08-29-2012 03:50 AM

oops. found a typo. fixed it. /k

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...