Splunk search for Times UF hits throughput limit
Copy
index=_internal sourcetype=splunkd "has reached maxKBps" | rex "Current data throughput \((?<kb>\S+)" | eval throughput=case(kb < 500, "256", kb > 499 AND kb < 520, "512", kb > 520 AND kb < 770 ,"768", kb>771 AND kb<1210, "1024", 1=1, ">1024") | stats count as Count sparkline as Trend by host, throughput | where Count >= 1 | rename host as "Host" throughput as "Throughput rate(kb)" count as "Hit Count"| sort -"Throughput rate(kb)",-Count
This Splunk search will list the number of times that a Universal Forwarder has hit it's throughput limit. You can adjust the thruput limit by modifying the limits.conf 'thruput' stanza on the universal forwarder in question.