Hi Guys
I work in a huge enviroment and one of the Unix guys has installed a forwarder on there Unix box, I'm assuured that the installation was succesful and I have to take that as gospel at the moment, my question is should I expect to see a Unix forwarder in the Deployment manager app ?
Is there a serch and can put into Splunk to find the Unix forwarder ? the funny thing is Im able to search the host name of where this forwarder has been installed and logs are found but there found from a while back up until now, the forwarder was only installed a few hours ago so Splunk is getting this information from somewhere else by the look of it.
Any Ideas ?
Hi Aaron,
Yes, you should be seeing the forwarders in the DM app. Here is a modified, shortened version of the search used to populate the Forwarders View inside the app:
index="_internal" source="*metrics.lo*" group=tcpin_connections | stats count by host
Forwarder logs are sent to the _internal index and have metrics.log inside the source name. If you want to see the raw events , remove the stats clause.
Thanks,
Michael
Hi Aaron,
Yes, you should be seeing the forwarders in the DM app. Here is a modified, shortened version of the search used to populate the Forwarders View inside the app:
index="_internal" source="*metrics.lo*" group=tcpin_connections | stats count by host
Forwarder logs are sent to the _internal index and have metrics.log inside the source name. If you want to see the raw events , remove the stats clause.
Thanks,
Michael
If the forwarder was configured to index /var/log/messages/ then it probably just indexed the archived log files.