SPL
List of Universal Forwarders with Version
Description
The following Splunk query will return results of any host using a universal forwarder to transmit data back to a Splunk indexer. The query will return hostname, version, as well as architecture (64-bit vs 32-bit).
18 2
index="_internal" sourcetype=splunkd group=tcpin_connections NOT eventType=* | eval Hostname=if(isnull(hostname), sourceHost,hostname) | eval version=if(isnull(version),"pre 4.2",version) | eval architecture=if(isnull(arch),"n/a",arch) | stats count by Hostname version architecture | sort + version
Comments
4 total
I am looking for some use cases regarding perimeter firewall. I have paloalto
Rashid47010, we are going to be adding a request for query section here soon where you can post stuff just like this! Stay tuned!
For Windows\r\n\r\nindex=\"_internal\" sourcetype=splunkd group=tcpin_connections NOT eventType=* source=\"C:\\Program Files\\SplunkUniversalForwarder\\var\\log\\splunk\\metrics.log\" | eval Hostname=if(isnull(hostname), sourceHost,hostname) | eval version=if(isnull(version),\"pre 4.2\",version) | eval architecture=if(isnull(arch),\"n/a\",arch) | dedup hostname,_time | stats count by Hostname version architecture | sort + version
Just Linux\r\n\r\nindex=\"_internal\" sourcetype=splunkd group=tcpin_connections NOT eventType=* source=\"/opt/splunk/var/log/splunk/metrics.log\" | eval Hostname=if(isnull(hostname), sourceHost,hostname) | eval version=if(isnull(version),\"pre 4.2\",version) | eval architecture=if(isnull(arch),\"n/a\",arch) | dedup hostname,_time | stats count by Hostname version architecture _time | sort + Hostname +version
Leave a comment
You must log in to post a comment.