Splunk search for Ports used by Universal Forwarders to send data to Indexers

Copy
index="_internal" source="*metrics.log*" group=tcpin_connections NOT eventType=* | dedup sourceHost |stats count as Count by destPort
This Splunk search will show the ports that all forwarders are using to send data to indexers. The default port used by Universal Forwarders to send data to Indexers is 9997 but this can be changed by modifying outputs.conf. It's worth noting that this search will only return results for forwarders that have successfully sent data to Indexers. If a forwarder is configured incorrectly and is sending to a port that the Indexer(s) are not listening on the internal logs will not arrive at the Indexers and this search will not yield those results.
0 comments

Category:

General Splunk


Tags:

Admin general internal universal forwarders

Search Commands:

Sign in or Register to submit a comment