Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I get a count of applications deployed to forwarders?

rholm01
Explorer
‎11-29-2018 07:04 AM

The Deployment Server - (Settings -> Forwarder Management) shows Host Name, Client Name, Instance Name, IP Address, Actions, Machine Type, Deployed Apps, and Phone Home. I need to get a list of Hosts that have less than 5 Deployed Apps. I found this command which does this, but I only need the count and not the application names. Also, the Deployment server does not have an option to export the forwarder list.

| rest /services/deployment/server/clients splunk_server=local| table hostname applications*.stateOnClient | untable hostname applications value | eval applications=replace(applications,"applications\.(\w+)\.stateOnClient","\1") | stats values(applications) as applications by hostname
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-29-2018 07:24 AM

Hi rholm01,
you could run a search like the following to extract all the informations from Deployment Server:

| rest splunk_server=local /services/deployment/server/clients
| table hostname ip utsname *.restartSplunkd
| eval temp=hostname."#".ip."#".utsname 
| table temp *.restartSplunkd
| eval application.NoApp.restartSplunkd=0
| untable temp apps count 
| eval Apps=if(like(apps,"app%"),mvindex(split(apps,"."),1),null()) 
| eval ServerClass=if(like(apps,"server%"),mvindex(split(apps,"."),1),null() ) 
| rex field=temp "(?<Host>.*)#(?<Host_IP>.*)#(?<Machine_Type>.*)" 
| table Host Host_IP Machine_Type Apps ServerClass 
| stats Values(*) as * dc(Apps) AS dc_apps by Host Host_IP Machine_Type
| eval Apps=if(dc_apps=1,Apps,mvindex(Apps,1,10))
| nomv Apps
| nomv ServerClass
| fillnull value="NoSC" ServerClass

I configured this search as an alert on my Deployment Server and then at the end I put an outputcsv command to write results on a CSV file, then I read it with an input so I have this information on my Search Head and I can correlate it with the other information.

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-29-2018 07:24 AM

Hi rholm01,
you could run a search like the following to extract all the informations from Deployment Server:

| rest splunk_server=local /services/deployment/server/clients
| table hostname ip utsname *.restartSplunkd
| eval temp=hostname."#".ip."#".utsname 
| table temp *.restartSplunkd
| eval application.NoApp.restartSplunkd=0
| untable temp apps count 
| eval Apps=if(like(apps,"app%"),mvindex(split(apps,"."),1),null()) 
| eval ServerClass=if(like(apps,"server%"),mvindex(split(apps,"."),1),null() ) 
| rex field=temp "(?<Host>.*)#(?<Host_IP>.*)#(?<Machine_Type>.*)" 
| table Host Host_IP Machine_Type Apps ServerClass 
| stats Values(*) as * dc(Apps) AS dc_apps by Host Host_IP Machine_Type
| eval Apps=if(dc_apps=1,Apps,mvindex(Apps,1,10))
| nomv Apps
| nomv ServerClass
| fillnull value="NoSC" ServerClass

I configured this search as an alert on my Deployment Server and then at the end I put an outputcsv command to write results on a CSV file, then I read it with an input so I have this information on my Search Head and I can correlate it with the other information.

Bye.
Giuseppe

Reply
Solved! Jump to solution

nnimbe1
Path Finder
‎03-23-2021 03:28 AM

@rholm01 Excellent, but along with this if you can add "last logs reported time for each host" then it will be excellent, because sometime host will report to deployment servers but will not send any logs...

0 Karma
Reply
Solved! Jump to solution

jaxjohnny2000
Builder
‎06-19-2019 12:20 PM

Works like a champ!!!! Love this, thank you!!!

0 Karma
Reply
Solved! Jump to solution

MasterOogway
Communicator
‎03-03-2020 06:57 AM

Excellent! Runs straight out without any changes.

This gives you a table view listing each server, OS, Apps installed, and what Serverclass they belong to.
Not sure if it's possible, but it doesn't take into account if any server is 'Blacklist' in an App. THAT would be nice to know too.

Already saved it as a Report. Thank you.

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎11-29-2018 07:24 AM

Hi @rholm01,

Try below query

| rest /services/deployment/server/clients splunk_server=local| table hostname applications*.stateOnClient| untable hostname applications value | eval applications=replace(applications,"applications.(.*).stateOnClient","\1") | stats count by hostname

EDIT: Updated query.

Reply
Solved! Jump to solution

MasterOogway
Communicator
‎03-03-2020 06:50 AM

@harsmarvania57 - spot on search. Saweeet!

Run this on your Deployment Server.
I substituted the last lines 'hostname' and dropped in 'applications' and got a count of servers that have downloaded the Apps.

0 Karma
Reply
Solved! Jump to solution

rholm01
Explorer
‎11-29-2018 07:07 AM

Also, the Deployment Server - Forwarder Management does not sort on the Deployed Apps column.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...