Splunk search for Last time a UF sent data

Copy
index="_internal" source="*metrics.log*" group=tcpin_connections NOT eventType=* | eval Source=if(isnull(hostname), Source,hostname) | eval connectionType=case(fwdType=="uf","Universal Forwarder", fwdType=="lwf", "Lightweight Forwarder",fwdType=="full", "Heavy Forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk Forwarder", connectionType=="raw" or connectionType=="rawSSL","Legacy Forwarder")| eval build=if(isnull(build),"n/a",build) | eval version=if(isnull(version),"< 4.2",version) | eval os=if(isnull(os),"unkown",os)| eval arch=if(isnull(arch),"unkown",arch) | eval lastReceived = if(kb>0, _time,null) | eval seconds=30 | eval event_count= tcp_eps * seconds | bin _time span=10m | stats first(connectionType) as connectionType max(lastReceived) as lastReceived by Source | eval LastReceived=strftime(lastReceived, "%Y/%m/%d %H:%M:%S") | fields Source, connectionType, LastReceived | sort + LastReceived
This Splunk search will provide information on the last time that data was received from a Universal Forwarder.
0 comments

Category:

General Splunk


Tags:

Admin general internal universal forwarder

Search Commands:

Sign in or Register to submit a comment