SPL
Detailed list of Universal Forwarders Reporting to Indexer
Description
The following query will list in detail information on the universal forwarders checking into the indexer. I've renamed some of the fields to be more user-friendly.
14 0
index=_internal sourcetype=splunkd destPort!="-"| stats sparkline count by hostname, sourceHost, host, destPort, version | rename destPort as "Destination Port" | rename host as "Indexer" | rename sourceHost as "Universal Forwarder IP" | rename version as "Splunk Forwarder Version" | rename hostname as "Universal Forwarder Host Name" | rename sparkline as "Traffic Frequency" | sort 0 - count
Comments
2 total
need to change to | sort 0 - count otherwise it is limited to 10,000 rows
I don't understand what is counting the | sort - count line ?
Leave a comment
You must log in to post a comment.