Deployment Architecture

How to get forwarder details with port

Mohsin123
Path Finder

Hi,

Can anyone help me with the query how to list the hosts with forwarder and port details .
Ex, which application has which hosts and whther they have forwarders installed or not?
If they have then , which forwarders are they pointing to with port details

Tags (1)
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

Please try below query

index=_internal source=*metrics.log group=tcpout_connections | stats values(destIp) AS HF_Splunk_Server, values(destPort) AS HF_Port by host

If you want to search for old HFs then you can filter out those using below query.

index=_internal source=*metrics.log group=tcpout_connections (destIp=<Old_HF1_IP> OR destIp=<Old_HF2_IP>) | stats values(destIp) AS HF_Splunk_Server, values(destPort) AS HF_Port by host
0 Karma

FrankVl
Ultra Champion

You can find the hosts that are sending to your old HFs with the following search:

index=_internal host=YOUR-OLDHFs source=*metrics.log group=tcpin_connections | stats count by hostname

This shows the metrics for incoming tcp connections on your HFs, listing the hostnames which will be the hosts sending into those tcp connections.

0 Karma

ansif
Motivator

Question is not clear. Do you mean to list hosts in your environment which has forwarders installed and not installed ? If UF is installed what you mean by ports details?

0 Karma

Mohsin123
Path Finder

Hi Ansif,

Let me clarify a bit ..
We have around 300 approx hosts which send data to splunk .
At those ends if forwarders are there , then in their outputs.conf file , our HFs are reporting .
we want them to change the details of HFs .
Now challenge is that few hosts already have our new HF details and few are pointing to the old ones that we are planning to decommision .
So , i found out list of hosts that send data to splunk by using below queries ...but how can i know which host have pointers to old HFs and which have pointers to new HFs . Can you please frame me a query to achieve this ?

My queries used are below :

index=_internal sourcetype=splunkd source=*metrics.log forwarder|eval forwarder=mvindex(split(source, "/"),-5)|chart values(forwarder) as FORWARDER by host

index=_internal |chart values(h) as HOST by idx

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...