Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a search to figure out which forwarder has which app?

nebel
Communicator
‎08-29-2012 02:52 AM

Hi,

I have a lot of forwarders. I want to make sure that the forwarders got the right app.
I did some searches but could not find anything related to my request.

Is there a Splunk search which shows a list with all forwarders and the installed app?

Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-29-2012 03:48 AM

Each forwarder writes to it's splunkd.log under the DeployedApplication component, something like;

07-21-2012 12:01:22.267 +0300 INFO  DeployedApplication - Refreshed app: WinEvtSec for service class: AppsByMachineType from archive: C:\Program Files\SplunkUniversalForwarder\var\run\AppsByMachineType\WinEvtSec-1306487137.bundle

If you've forwarded the splunkd.log from the forwarder to the indexer, it should be found in the _internal index. Try searching for

index=_internal DeployedApplication | rex "\sapp:\s(?<DepApp>\S+)\s" | stats values(DepApp) by host

Hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution

ziegfried
Influencer
‎08-29-2012 04:00 AM

You can find information about which forwarder downloaded a deployment app in Splunkd's access log on the deployment server:

index=_internal sourcetype="splunkd_access" uri_path=/services/streams/deployment | rex field=name ":(?<serverClass>.+?):(?<app>.+)" | table _time clientip serverClass app
Reply
Solved! Jump to solution

nebel
Communicator
‎08-29-2012 05:05 AM

thank you as well! it worked also, but there was just one chance to give it a green tick, sorry but thank you!

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎08-29-2012 03:48 AM

Each forwarder writes to it's splunkd.log under the DeployedApplication component, something like;

07-21-2012 12:01:22.267 +0300 INFO  DeployedApplication - Refreshed app: WinEvtSec for service class: AppsByMachineType from archive: C:\Program Files\SplunkUniversalForwarder\var\run\AppsByMachineType\WinEvtSec-1306487137.bundle

If you've forwarded the splunkd.log from the forwarder to the indexer, it should be found in the _internal index. Try searching for

index=_internal DeployedApplication | rex "\sapp:\s(?<DepApp>\S+)\s" | stats values(DepApp) by host

Hope this helps,

Kristian

Reply
Solved! Jump to solution

nebel
Communicator
‎08-29-2012 05:05 AM

thank you very much, that worked great for my case! 🙂

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎08-29-2012 03:50 AM

oops. found a typo. fixed it. /k

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...