Splunk search for Connected Universal Forwarders
Copy
index="_internal" sourcetype="splunkd" source="*metrics.log*" group=tcpin_connections component=Metrics | eval sourceHost=if(isnull(hostname), sourceHost,hostname)| eval connectionType=case(fwdType=="uf","Universal Forwarders", fwdType=="lwf", "Lightweight Forwarder",fwdType=="full", "Heavy Forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk forwarder", connectionType=="raw" or connectionType=="rawSSL","Legacy Forwarder") | eval version=if(isnull(version),"< 4.2",version) | eval guid=if(isnull(guid),sourceHost,guid) | eval os=if(isnull(os),"unkown",os)| eval arch=if(isnull(arch),"unkown",arch)| fields connectionType sourceIp sourceHost splunk_server version os arch kb guid | eval lastReceived = case(kb>0, _time)| eval lastConnected=max(_time)| stats first(sourceIp) as sourceIp first(connectionType) as connectionType first(version) as version first(os) as os first(arch) as arch max(lastConnected) as lastConnected max(lastReceived) as lastReceived by sourceHost guid | addinfo | eval status=if(lastConnected<(info_max_time-900),"missing",if(mystatus="quiet","quiet","active")) | fields sourceHost sourceIp version connectionType os arch lastConnected lastReceived status | rename sourceHost as Forwarder version as "Splunk Version" connectionType as "Forwarder Type" os as "OS" status as "Current Status" lastConnected as "Last Connected" lastReceived as "Last Data Received" | eval "Last Data Received"=strftime('Last Data Received', "%D %H:%M:%S %p"), "Last Connected"=strftime('Last Connected', "%D %H:%M:%S %p")
This search will provide details on all connected Universal Forwarders. It will output the forwarder hostname, sourceIP, Splunk Version, forwarder type (e.g. UF, HF), Operating System, architecture (i.e. x86_64), last time it was connected, last time data was received and its current status.
0 comments
[0]
[0]
[0]
[0]
Sign in or Register to submit a comment