How To See The UF/HF Server Information and OS Details In Splunk

How To See The UF/HF Server Information and OS Details In Splunk

Hello guys!!!!

Today we have come here with an interesting topic Splunk.
We all know about the term SPL in splunk.
Yes, you got right, “Search Processing Language”. Using SPL we can get every information about the data getting indexed in splunk.

But, what if you want to know some more like the version of Spunk running in all servers with the server name or the OS of the server in which Splunk is running and some more.

So, today we are going to show these information using SPL.
So, lets get started.

Step1:
Login to Splunk using your credentials.
step1
Step2:
Go to Search and Reporting App.
step2
Step3:
Write this below query in the search box.

index=_internal sourcetype=splunkd
| eval sourceHost=if(isnull(hostname), sourceHost,hostname)
| rename connectionType as connectType
| eval connectType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder")
| table connectType,sourceIp,sourceHost,os,version 
| dedup connectType,sourceIp,sourceHost,os,version

step4(1)

Explanation : 

index=_internal sourcetype=splunkd

Here, we have searched for “_internal” index and “splunkd” because the information we are searching for, is present in the _internal index .

| eval sourceHost=if(isnull(hostname), sourceHost,hostname)

Then, where there is null value in  “hostname” field that will be replaced with the value of sourceHost.

| eval connectType=case(fwdType=="uf","univ fwder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder")

Then, using eval command we have created a field ‘connectType’ where, if the ‘fwdType’=uf, “univ fwder” will be stored, if the ‘fwdType’=lwf ,“lightwtfwder” will be stored.[same concept for the other conditions]

| table connectType,sourceIp,sourceHost,os,version 
| dedup connectType,sourceIp,sourceHost,os,version

Now, for showing all the required fields with their unique values in tabular form we have used table and dedup command.

Here, we have got the “connectType” field according to the “fwdType” field [logic explained in above]

step4(2)

“sourceIp” field contains the ip of the “universal forwarders” and the “heavy forwarder”.

step4(3)

“sourceHost” field contains the name  of the servers(“universal forwarders” and the “heavy forwarder”).

step4(4)

“os” field contains the “Operating Sytem” name of the servers(“universal forwarders” and the “heavy forwarder”).

step4(5)

“version” field contains the version of Splunk running on each server(“universal forwarders” and the “heavy forwarder”).

step4(6)

Hope this has helped you in achieving the below requirement without fail !!
How To See The UF/HF Server Information and OS Details In Splunk

Happy Splunking !!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.