Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to export a list containing Host Name, Host IP, Apps, Server Class, and Machine Type for a Splunk server?

rbullard
Engager
‎02-26-2016 06:42 AM

My group is taking over operations for a Splunk server brought over from an acquisition. We are trying to get a handle on what the previous Splunk admins had set up.

We would like to export a list that has the following information:
Host Name
Host IP
Apps
Server Class
Machine Type

I haven't been able to find a config file or search pattern to produce those results. Any help is appreciated.

Thanks,
Rick

Reply

wrangler2x
Motivator
‎06-13-2017 10:16 AM

Hybrid of the above searches:

| rest /services/deployment/server/clients  splunk_server=local
| foreach applications.*.restartSplunkd [eval Apps=if(isnotnull('<<FIELD>>'), mvappend(Apps, "<<MATCHSTR>>"), Apps)]
| foreach serverClasses.*.restartSplunkd [eval ServerClasses=if(isnotnull('<<FIELD>>'), mvappend(ServerClasses, "<<MATCHSTR>>"), ServerClasses)]
| eval Forwarder = lower(dns)
| rex field=utsname "(?<os>[^\-]+)\-(?<arch>.+)"
| eval os = case(os == "linux", "Linux", os == "windows", "Windows", arch == "sun4u", "Solaris", arch == "sun4v", "Solaris")
| fields - utsname
| lookup version2build.csv build
| rename dns AS Forwarder, averagePhoneHomeInterval AS PHI
| stats values(Apps) AS Apps, values(ServerClasses) AS ServerClasses count by Forwarder ip os arch version build clientName splunk_server PHI lastPhoneHomeTime
| fieldformat lastPhoneHomeTime=strftime(lastPhoneHomeTime, "%F %T")
| eval missing=now()-lastPhoneHomeTime-PHI| eval missing=if(missing<0, 0, missing)
| eval Missing=case (missing==0, "No", missing==1, "Yes")
| fields - missing
| addtotals count col=t row=f
0 Karma
Reply

goelli
Communicator
‎02-09-2017 08:51 AM

Like somesoni2 already suggested you can use rest command on the DeploymentServer or any server which has the DeploymentServer as search-peer to access the REST endpoint /services/deployment/client. It provides all information about the connected clients.

I found this appoach a litlle more readable:

| rest /services/deployment/server/clients
| foreach applications.*.restartSplunkd [eval Apps=if(isnotnull('<<FIELD>>'), mvappend(Apps, "<<MATCHSTR>>"), Apps)]
| foreach serverClasses.*.restartSplunkd [eval ServerClasses=if(isnotnull('<<FIELD>>'), mvappend(ServerClasses, "<<MATCHSTR>>"), ServerClasses)]
| table hostname ip dns utsname clientName Apps ServerClasses averagePhoneHomeInterval lastPhoneHomeTime
| fieldformat lastPhoneHomeTime=strftime(lastPhoneHomeTime, "%F %T")
| eval missing=now()-lastPhoneHomeTime-averagePhoneHomeInterval | eval missing=if(missing<0, 0, missing)
Reply

somesoni2
Revered Legend
‎02-26-2016 03:37 PM

Splunk REST API endpoints are here to help. Try something like this

| rest /services/deployment/server/clients | table dns ip utsname *.restartSplunkd | eval temp=dns."#".ip."#".utsname | table temp *.restartSplunkd | untable temp apps count | eval Apps=if(like(apps,"app%"),mvindex(split(apps,"."),1),null()) | eval ServerClass=if(like(apps,"server%"),mvindex(split(apps,"."),1),null() )| rex field=temp "(?<Host>.*)#(?<Host_IP>.*)#(?<Machine_Type>.*)" | table Host Host_IP Machine_Type Apps ServerClass | stats Values(*) as * by Host Host_IP Machine_Type
Reply

rbullard
Engager
‎02-29-2016 06:49 AM

Unfortunately that provides "No results". Maybe the previous admins did more extensive changes than I would have thought.

Taking your answer and attempting to find those "changes".

0 Karma
Reply

somesoni2
Revered Legend
‎02-29-2016 08:17 AM

Try to run this query from the deployment server's Splunk Web.

0 Karma
Reply

jwiedow
Communicator
‎03-30-2016 10:01 AM

Thank you somesoni2. I had a similar request and this helped me out immensely. I updated your search slightly as follows and ran it on our DMC and the results are exactly what we are looking for.

| rest splunk_server_group=dmc_group_deployment_server /services/deployment/server/clients | eval hostname=lower(hostname) | eval lastphonehome=strftime(lastPhoneHomeTime,"%m/%d/%Y %H:%M:%S%z") | table splunk_server hostname dns ip utsname build name lastphonehome *.restartSplunkd | eval temp=splunk_server."#".hostname."#".dns."#".ip."#".utsname."#".build."#".name."#".lastphonehome | table temp *.restartSplunkd | untable temp apps count | eval Apps=if(like(apps,"app%"),mvindex(split(apps,"."),1),null()) | eval ServerClass=if(like(apps,"server%"),mvindex(split(apps,"."),1),null() )| rex field=temp "(?<SplunkDS>.*)#(?<Host>.*)#(?<FQDN>.*)#(?<Host_IP>.*)#(?<Machine_Type>.*)#(?<Build>.*)#(?<clientName>.*)#(?<Last_PhoneHome>.*)" | table SplunkDS Host FQDN Host_IP Machine_Type Build clientName Last_PhoneHome Apps ServerClass | stats Values(*) as * by SplunkDS Host FQDN Host_IP Machine_Type Build clientName Last_PhoneHome | sort +Host,+SplunkDS

It would be nice to see the DMC extended to include Deployment Server information instead of having to do this ourselves.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...