Splunk search for Detailed information on Universal Forwarders

Copy
index=_internal sourcetype=splunkd destPort!="-"| stats count by hostname, sourceHost, host, destPort, version | fields - count | rename hostname as "Forwarder Hostname", sourceHost as "Forwarder IP", host as "Indexer Hostname", destPort as "Forwarding Port", version as "Splunk Version"
This search will output a table that shows all Universal Forwarders or other Splunk instances that are forwarding their internal logs to the Indexers. The search will yield the hostname, IP and Splunk version of the forwarder as well as the port it is using to send data to the Indexers and the Indexers it is sending data to.
0 comments

Category:

General Splunk


Tags:

internal universal forwarder administration

Search Commands:

Sign in or Register to submit a comment