Splunk search for Details of hosts with UF sending data

Copy
index=_internal sourcetype=splunkd group=tcpin_connections NOT eventType=* | eval Host=if(isnull(hostname), sourceHost,hostname) | eval version=if(isnull(version),"< 4.2",version) | eval architecture=if(isnull(arch),"unknown",arch) | stats count by Host version architecture | sort version
This Splunk search will provided detailed information on any forwarders that are sending data to the Indexing tier.
0 comments

Category:

General Splunk


Tags:

Admin general internal universal forwarder

Search Commands:

Sign in or Register to submit a comment