Splunk search for Forwarders sending the most data
Copy
index="_internal" source="*metrics.log*" group=tcpin_connections NOT eventType=* | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | search sourceHost=* | timechart per_second(kb) by sourceHost WHERE max in top5 useother=f | rename sourceHost as UF
This Splunk search will output a timechart that shows the volume of data from the top 5 Universal Forwarders. The timechart is in the format of kb/s per Universal Forwarder.
0 comments
[0]
[0]
[0]
[0]
Sign in or Register to submit a comment