Splunk search for Forwarders with certificate errors
Copy
index=_internal sourcetype=splunkd HttpListener "Socket error from "
| rex "(?<errorLog>WARN\s+HttpListener\s.*?Socket error.*)"
| rex field=errorLog "WARN\s+HttpListener\s.*?Socket error from\s+(?<ip>[^ ]+)"
| rename ip as uf_ip
| stats earliest(_time) AS Earliest latest(_time) as Latest count by uf_ip host errorLog
| eval Earliest=strftime(Earliest,"%b %m, %Y %H:%M:%S")
| eval Latest=strftime(Latest,"%b %m, %Y %H:%M:%S")
| table Earliest Latest uf_ip errorLog count
| sort - count | rename Earliest as "First Seen", Latest as "Last Seen", uf_ip as "Source IP", errorLog as "Error Log", count as Count
This Splunk search will return details on Universal Forwarders that are reporting errors relating to certificates.