The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Previous Topic: Basic setup question | Next Topic: Log file not broken up into individual events
Posts 1–4 of 4
In splunk 3.x, when forwarding, server information appeared in (splunk home)/etc/system/local/outputs.conf.
Where is this data in splunk 4.x? I thought it would be in (splunk home)/etc/apps/SplunkForwarder/local but it's not.
I miss the 'view topology' option that was in 3.x but is not in 4.x. that let me know the forwarder/receiver could at least see each other.
Thanks,
Rich
Yea, I miss the topology too.
However, try this command. It will tell you of all the Forwarders that communicated to your indexer in the last 3 minutes.
index=_internal group="tcpin_connections" startminutesago=3 | stats count(sourceHost) by sourceHost
thanks! Useful command, that.
On further review, it looks like the receiving server is documented here...
/opt/splunk/etc/apps/search/local/outputs.conf
you might also find this topic in the Splunk Community wiki to be of some use:
http://www.splunk.com/base/Deploy:HowToFindLostForwarders
feel free to contribute more useful searches to it, you just need to be logged into your splunk.com account to edit the pages in the Community wiki.
thanks!