- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: Is forwarder management data indexed?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is forwarder management data indexed?
Hello,
I want to be able to customize searches on the data in the forwarder management page. It would seem that client phone-home status is being cached somewhere like in an index but I can't find it. I would like to be able to have more flexible filtering on what I see and the ability to sort it.
Thanks,
Sean
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Look in the _internal index. Here are some ideas to get you started...
Are apps being downloaded?
index=_internal component=DeployedApplication OR
component=PackageDownloadRestHandler sourcetype=splunkd
| table _time log_level host app message
Is the deployment client phoning home?
index=_internal (*phonehome* component=DC*) OR (component=DC:HandshakeReplyHandler)
| sort _time
| table _time host log_level message
Is the deployment server hearing the phone homes?
index=_internal metrics group=deploy-server sourcetype=splunkd
| timechart span=2m avg(nReceived) by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. According to forwarder management page. Also apps have been deployed as expected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did the client actually phone home?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks again L. Understood. In this case, we recently added 28 of our first windows clients we're mostly splunking Linux. I see most phoning home fine within minutes in the clients page, but it doesn't look like the phone home events actually end up in the clients' splunkd.logs, I see other events relating to watched file monitors etc but nothing with regards to phone-homes. I was trying to access the same data the forwarder management is using to tell me that x-client has phoned home in the past minute, I take it that this either not indexed or not accessible. Thanks, Sean.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By default, all the forwarders should be sending their splunkd.log files (and some others) to the splunk indexers - so you should be able to see things from the forwarder perspective as well as from the forwarder management server.
A search of
index=_internal sourcetype=splunkd | stats count by host
over the last hour should show many different hosts...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks L. I was seeing some relevant events, but I am not finding anything on my deployment server in _internal which would correspond to the actual phone-home event and tie it to a client other than the splunkd_access logs which don't really have anything that useful or even easily extractable. I basically want to search and report similar to the "Clients" tab in forwarder management, but apply some more complex filters and sort the list. If it is not doable I understand.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
