Search: Get Splunk Universal Forwarder Version: Unterschied zwischen den Versionen

Aus Wiki-WebPerfect
Wechseln zu: Navigation, Suche
 
Zeile 1: Zeile 1:
 
== Splunk Query ==
 
== Splunk Query ==
 
<pre>
 
<pre>
index="_internal" source="*metrics.lo*" group=tcpin_connections | dedup guid| eval sourceHost=if(isnull(hostname), sourceHost,hostname) | eval connectionType=case(fwdType=="uf","universal forwarder", fwdType=="lwf", "lightweight forwarder",fwdType=="full", "heavy forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk forwarder", connectionType=="raw" or connectionType=="rawSSL","legacy forwarder")| eval build=if(isnull(build),"n/a",build) | eval version=if(isnull(version),"pre 4.2",version) | eval guid=if(isnull(guid),sourceHost,guid) | eval os=if(isnull(os),"n/a",os)| eval arch=if(isnull(arch),"n/a",arch) | table sourceHost connectionType sourceIp sourceHost ssl ack build version os arch guid
+
index="_internal" source="*metrics.lo*" group=tcpin_connections  
 +
| dedup guid  
 +
| eval sourceHost=if(isnull(hostname), sourceHost,hostname)  
 +
| eval connectionType=case(fwdType=="uf","universal forwarder", fwdType=="lwf", "lightweight forwarder",fwdType=="full", "heavy forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk forwarder", connectionType=="raw" or connectionType=="rawSSL","legacy forwarder")  
 +
| eval build=if(isnull(build),"n/a",build)  
 +
| eval version=if(isnull(version),"pre 4.2",version)  
 +
| eval guid=if(isnull(guid),sourceHost,guid)  
 +
| eval os=if(isnull(os),"n/a",os)  
 +
| eval arch=if(isnull(arch),"n/a",arch)  
 +
| table sourceHost connectionType sourceIp sourceHost ssl ack build version os arch guid
 
</pre>
 
</pre>
  

Aktuelle Version vom 12. August 2021, 08:54 Uhr

Splunk Query

index="_internal" source="*metrics.lo*" group=tcpin_connections 
| dedup guid 
| eval sourceHost=if(isnull(hostname), sourceHost,hostname) 
| eval connectionType=case(fwdType=="uf","universal forwarder", fwdType=="lwf", "lightweight forwarder",fwdType=="full", "heavy forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk forwarder", connectionType=="raw" or connectionType=="rawSSL","legacy forwarder") 
| eval build=if(isnull(build),"n/a",build) 
| eval version=if(isnull(version),"pre 4.2",version) 
| eval guid=if(isnull(guid),sourceHost,guid) 
| eval os=if(isnull(os),"n/a",os) 
| eval arch=if(isnull(arch),"n/a",arch) 
| table sourceHost connectionType sourceIp sourceHost ssl ack build version os arch guid

Output

01-splunk version table.png