Splunk search for Detailed information on Universal Forwarders

index=_internal sourcetype=splunkd destPort!="-"| stats count by hostname, sourceHost, host, destPort, version | fields - count | rename hostname as "Forwarder Hostname", sourceHost as "Forwarder IP", host as "Indexer Hostname", destPort as "Forwarding Port", version as "Splunk Version"
This search will output a table that shows all Universal Forwarders or other Splunk instances that are forwarding their internal logs to the Indexers. The search will yield the hostname, IP and Splunk version of the forwarder as well as the port it is using to send data to the Indexers and the Indexers it is sending data to.


General Splunk


internal universal forwarder administration

Search Commands:

Sign in or Register to submit a comment