Universal Forwarder Splunk Searches

Splunk Search for Universal Forwarders with Expired Certificates Copy


				index=_internal sourcetype=splunkd (alert_description="'certificate expired'" component=SSLCommon) OR (component=TcpInputProc AND "certificate verify failed")

0 comments

[0]

Splunk Search for Check for Hosts Hitting Max File Descriptor (max_fd) Limit Copy


				index=_internal sourcetype=splunkd "TailReader - File descriptor cache is full" "trimming" | stats count by host

0 comments

[0]

Splunk Search for Indexers a Univeral Forwarder is Sending Data To Copy


				index=_internal tcpouteloop "connected to idx" | stats count by idx

0 comments

[0]

Splunk searches relating to Universal Forwarder