- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- How to get forwarder details with port
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get forwarder details with port
Hi,
Can anyone help me with the query how to list the hosts with forwarder and port details .
Ex, which application has which hosts and whther they have forwarders installed or not?
If they have then , which forwarders are they pointing to with port details
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Please try below query
index=_internal source=*metrics.log group=tcpout_connections | stats values(destIp) AS HF_Splunk_Server, values(destPort) AS HF_Port by host
If you want to search for old HFs then you can filter out those using below query.
index=_internal source=*metrics.log group=tcpout_connections (destIp=<Old_HF1_IP> OR destIp=<Old_HF2_IP>) | stats values(destIp) AS HF_Splunk_Server, values(destPort) AS HF_Port by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can find the hosts that are sending to your old HFs with the following search:
index=_internal host=YOUR-OLDHFs source=*metrics.log group=tcpin_connections | stats count by hostname
This shows the metrics for incoming tcp connections on your HFs, listing the hostnames which will be the hosts sending into those tcp connections.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Question is not clear. Do you mean to list hosts in your environment which has forwarders installed and not installed ? If UF is installed what you mean by ports details?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ansif,
Let me clarify a bit ..
We have around 300 approx hosts which send data to splunk .
At those ends if forwarders are there , then in their outputs.conf file , our HFs are reporting .
we want them to change the details of HFs .
Now challenge is that few hosts already have our new HF details and few are pointing to the old ones that we are planning to decommision .
So , i found out list of hosts that send data to splunk by using below queries ...but how can i know which host have pointers to old HFs and which have pointers to new HFs . Can you please frame me a query to achieve this ?
My queries used are below :
index=_internal sourcetype=splunkd source=*metrics.log forwarder|eval forwarder=mvindex(split(source, "/"),-5)|chart values(forwarder) as FORWARDER by host
index=_internal |chart values(h) as HOST by idx
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
