Splunk Info
Log In or Register to download the BES file, and more.

2 Votes

Description

A listing of Splunk client information for Windows.

The Bar operator ("|") requires BES Client v8.  Without this, several of the string-based properties will return errors if Splunk is not installed or configured on the client.

The Socket objects require BES Client v9.  This is used to test connection status to the Splunk servers, and assumes connections on default Splunk port of 9997.

It's difficult to read status from the splunkd.log file, as the file is locked, and the information contained in the file itself is often misleading.


Property Details

ID2994522
StatusBeta - Preliminary testing ready for more
TitleSplunk Info
DomainBESC
KeywordsSplunk, Socket, Service
Added by on 5/28/2013 4:11:38 PM
Last Modified by on 5/28/2013 4:11:38 PM
Counters 10377 Views / 62 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Properties

SplunkInstalled
Period 6 hours
 
  * Results in a true/false
Show indented relevance
exists (keys of (key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall" of native registry)) whose (value "DisplayName" of it = "Universal Forwarder" and value "Publisher" of it="Splunk, Inc.")
Version
Period 6 hours
 
  * Results in a true/false
Show indented relevance
value "DisplayVersion" of (keys of (key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall" of native registry)) whose (value "DisplayName" of it = "Universal Forwarder" and value "Publisher" of it="Splunk, Inc.") as string | "N/A"
ServiceState
Period 1 hour
 
  * Results in a true/false
Show indented relevance
state of service "SplunkForwarder" as string | "Not Installed"
SplunkServer
Period 6 hours
 
  * Results in a true/false
Show indented relevance
preceding text of first ":" of following text of first "=" of (it) of line whose( ( if it does not contain ";" then it else preceding text of first ";" of it) as uppercase contains "TARGETURI" ) of file (value "InstallLocation" of (keys of (key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall" of native registry)) whose (value "DisplayName" of it = "Universal Forwarder" and value "Publisher" of it="Splunk, Inc.") as string & "etc\system\local\deploymentclient.conf") as trimmed string | "N/A"
Server Connection Status
Period 30 minutes
 
  * Results in a true/false
Show indented relevance
exists (sockets of network) whose ((remote port of it = 9997) and (tcp state of it as string= "ESTABLISHED"))
Active Server IP Address
Period 30 minutes
 
  * Results in a true/false
Show indented relevance
unique values of (remote addresses of (sockets of network) whose ((remote port of it = 9997) and (tcp state of it as string= "ESTABLISHED")))
SplunkServerURI
Period 6 hours
 
  * Results in a true/false
Show indented relevance
following text of first "=" of (it) of line whose( ( if it does not contain ";" then it else preceding text of first ";" of it) as uppercase contains "TARGETURI" ) of file (value "InstallLocation" of (keys of (key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall" of native registry)) whose (value "DisplayName" of it = "Universal Forwarder" and value "Publisher" of it="Splunk, Inc.") as string & "etc\system\local\deploymentclient.conf") as trimmed string | "N/A"
UninstallRegKey
Period 1 day
 
  * Results in a true/false
Show indented relevance
(keys of (key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall" of native registry)) whose (value "DisplayName" of it = "Universal Forwarder" and value "Publisher" of it="Splunk, Inc.")
SplunkConfigFile
Period 1 day
 
  * Results in a true/false
Show indented relevance
(value "InstallLocation" of (keys of (key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall" of native registry)) whose (value "DisplayName" of it = "Universal Forwarder" and value "Publisher" of it="Splunk, Inc.") as string & "etc\system\local\deploymentclient.conf") | "N/A"
InstallPath
Period 6 hours
 
  * Results in a true/false
Show indented relevance
preceding text of last "\" of (value "InstallLocation" of (keys of (key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall" of native registry)) whose (value "DisplayName" of it = "Universal Forwarder" and value "Publisher" of it="Splunk, Inc.") as string) | "not installed"
ServiceInstalled
Period 1 day
 
Used in 3 fixlets   * Results in a true/false
Show indented relevance
exists service "SplunkForwarder"

Relevance

isWindows (Relevance 1172)
Used in 1152 fixlets and 538 analyses   * Results in a true/false
Show indented relevance
windows of operating system

Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
jgstew -
Does this work for your case? https://bigfix.me/relevance/details/3017230
jgstew -
what is this part for? `( if it does not contain ";" then it else preceding text of first ";" of it)` ... also, in my case, the server that is being used is given by `server = ` in a different config file, rather than `targeturi =`
jgstew -
I'm working on an updated version of this here: https://bigfix.me/analysis/details/2998315