Reputation: 23
Splunk query for Forwarder Management
Good day,
I am new to Splunk and would like to get the backend query for the Forwarder Management. I am writing creating a dashboard to check all devices picked up in Splunk and check if they have our security tools installed on them.
To check if a device has the splunk forwarder installed I want to get my data from the Forwarder management dashboard which is a default dashboard where you can create server classes and more.
The Clients tab has all the devices that phoned home in the past 30 days and this means they have the forwarder installed.
Is there an easier way to check all devices for security tools? This is what I have so far.
| rest * count=0 splunk_server=local
| table hostname serverClasses.*.stateOnClient
| untable hostname ServerClassNames dummy
| rex field=ServerClassNames "serverClasses\.(?<Azutre_VMS_Security_Tools>[^\.]+)\.stateOnClient$"
| stats values(ServerClassNames) as ServerClassNames dc(ServerClassNames) as NumberOfServerClasses by hostname
| rename hostname as clientName
| table clientName, NumberOfServerClasses, ServerClassNames
This is my code to get all devices
index=* earliest=-30d latest=now
| stats dc(host) as UniqueHostCount by host
| where UniqueHostCount > 0
| table host
I want to get the query first for the forwarder( it does not work the one above) before querying if the host does not display in the forwarder to display in the results
Upvotes: 2
Views: 63
Answers (1)
Reputation: 9926
There are a few ways to find which devices are sending data to Splunk.
To get a list of forwarders, send a /services/deployment/server/clients API request to the Deployment Server. See https://docs.splunk.com/Documentation/Splunk/9.2.2/RESTREF/RESTdeploy#deployment.2Fserver.2Fclients for details.
Another way to find forwarders is to search the internal index for incoming TCP connections.
index=_internal sourcetype=splunkd component=Metrics group=tcpin_connections
| dedup sourceHost
| table sourceHost fwdType
To see all hosts that send data, not just forwarders, count the hosts found in all indexes.
| tstats count where index=* host=* by host
Upvotes: 2
Related Questions
- Merge url with parameters into 1 in Splunk
- how to write splunk query to create a dashboard
- Display result count of multiple search query in Splunk table
- How do you get a Splunk forwarder to work with the main Splunk server?
- Writing a Splunk Query - Unique Count of Initial Access Key Usage from Cloudtrail
- Missing forwarder Alert
- Splunk how to combine two queries and get one answer
- Using Named Group Capture With rex In a Splunk Dashboard Query?
- Simulating security breach using Splunk