Alerting

Create an alert for SplunkForwarders with custom data inputs not in deployment server

spluzer
Communicator

Greeting all,

There are some custom apps out there on universal forwarders. They may be working now, but they need to be put in custom deployment apps so that they are not lost.

Any ideas on setting up an alert or report to track these forwarders with custom data inpouts?

Thanks!

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @spluzer,
if I correctly understood your need, you have:

  • at first to identify these flows (e.g. they are in one index or they have a known sourcetype),
  • then create a lookup (called e.g. perimeter.csv) containing all the target server to monitor (at least one column called e.g. host);
  • then run a search like this: your_search | eval host=lower(host) | stats count BY host | append [ | inputlookup your_lookup.csv | eval host=lower(host), count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0

Ciao.
Giuseppe

nahfam
Path Finder

Thanks, the hard part is locating what is "custom". Do you know of a query that might return a list of "custom" data inputs? Or, a way to list "default" data inputs and then use that as a list to determine what is "custom"...thanks again for your help!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @spluzer,
if a UF is managed by the Deployment Server, you cannot have custom apps.
So custom inputs can be only in %SPLUNK_HOME/etc/system/local.
At this point you can use a remote script to check them or, using Splunk, you could create and deploy an input that takes all the inputs.conf that are in %SPLUNK_HOME/etc/system/local folder
Something like this:

[monitor:///opt/splunk/etc/system/local/inputs.conf]
index=main
sourcetype=inputs_check
disabled=0

And then analyze the results.

Ciao.
Giuseppe

0 Karma

spluzer
Communicator

Cool, thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...