Splunk search for Universal Forwarder Errors
Copy
index=_internal sourcetype="splunkd" log_level="ERROR" | stats sparkline count dc(host) as uniquehosts last(event_message) as event_message last(_time) as last first(_time) as first by punct | eval last=strftime(last,"%b %d, %Y %H:%M:%S"), first=strftime(first,"%b %d, %Y %H:%M:%S") | table event_message count uniquehosts first last sparkline | sort -count | rename event_message as "Error" count as Count uniquehosts as "Affected Hosts" first as "First Occurance" last as "Most Recent Occurance", sparkline as Trend
This Splunk search will show detailed information on errors that have been reported on Splunk Universal Forwarders. The search will return information on the message of the error, what host it occurred on, and how many times it has been seen.