If you are using SSL on port 9997 or 9998 (or other port) to send logs from your forwarders to your indexers, you know that a misconfigured forwarder or one with incorrect certs can generate these errors. This search gives you a succinct summary of those hosts. Use Today in the timepicker.
Note: Add an IP address and a space before the closing dquote on line one to check one host, then create a dashboard with this search and an input field of IP so that installers can check for these logs, or you can if you have your indexer in the cloud (so you have no shell access. Remove the last line (sort) for the dashboard. In Dashboard, < and > need to be < and >
index=_internal source="/opt/splunk/var/log/splunk/splunkd.log" HttpListener "Socket error from "
| rex "(?<errorLog>WARN\s+HttpListener\s.*?Socket error.*)"
| rex field=errorLog "WARN\s+HttpListener\s.*?Socket error from\s+(?<ip>[^ ]+)"
| lookup dnsLookup ip OUTPUT host as ForwarderInDNS
| rename ip as ForwarderIP
| stats earliest(_time) AS EarliestSeen latest(_time) as LatestSeen count by ForwarderIP ForwarderInDNS errorLog
| convert timeformat="%Y/%m/%d - %H:%M:%S" ctime(EarliestSeen)
| convert timeformat="%Y/%m/%d - %H:%M:%S" ctime(LatestSeen)
| Eval Comment="This error indicates a problem with certificate installation or path to certs configuration"
| fields EarliestSeen LatestSeen ForwarderIP ForwarderInDNS errorLog Comment count
| sort ForwarderInDNS