The following query will list in detail information on the universal forwarders checking into the indexer. I’ve renamed some of the fields to be more user-friendly.
index=_internal sourcetype=splunkd destPort!="-"| stats sparkline count by hostname, sourceHost, host, destPort, version | rename destPort as "Destination Port" | rename host as "Indexer" | rename sourceHost as "Universal Forwarder IP" | rename version as "Splunk Forwarder Version" | rename hostname as "Universal Forwarder Host Name" | rename sparkline as "Traffic Frequency" | sort 0 - count
need to change to | sort 0 – count otherwise it is limited to 10,000 rows
I don’t understand what is counting the | sort – count line ?