Splunk search for List all Universal Forwarders

Copy
index=_internal group=tcpin_connections | eval host=if(isnull(hostname), sourceHost,hostname) | search (host=*) AND (host!="(ALL)") | eval version=if(isnull(version),"< 4.2",version) | stats values(version) as version by host
This search will provide detailed information on each Universal Forwarder that has reported data within the timeframe specified in your search. The search will output the IP of the Universal Forwarder, the Indexers that it has sent data to, the hostname of the Universal Forwarder, the total amount of data forwarded (in GB), the average number of events per second, the average thruput in KBps, and the version of Splunk that is running on the Universal Forwarder.
0 comments

Category:

General Splunk


Tags:

Admin general internal universal forwarder

Search Commands:

Sign in or Register to submit a comment