SPL
Detailed list of Universal Forwarders Reporting to Indexer
14 0
Description
The following query will list in detail information on the universal forwarders checking into the indexer. I've renamed some of the fields to be more user-friendly.
index=_internal sourcetype=splunkd destPort!="-"| stats sparkline count by hostname, sourceHost, host, destPort, version | rename destPort as "Destination Port" | rename host as "Indexer" | rename sourceHost as "Universal Forwarder IP" | rename version as "Splunk Forwarder Version" | rename hostname as "Universal Forwarder Host Name" | rename sparkline as "Traffic Frequency" | sort 0 - count
Comments
2 total
need to change to | sort 0 - count otherwise it is limited to 10,000 rows
I don't understand what is counting the | sort - count line ?
Leave a comment
You must log in to post a comment.