https://community.splunk.com/t5/Getting-Data-In/Find-source-types-from-UF-to-HF/m-p/365569#M66549 <P>Hi cpraz_ord,</P> <P>I've got a couple of queries that I like to use for this exact purpose. This is under the assumption that you are forwarding all logs from your on-premise HF into the cloud. It’s not automatic, but you’d start by looking at the _internal index.</P> <P>This will give you a list of all the sourcetypes that the HF has handled.</P> <P><CODE>index=_internal sourcetype=splunkd host=&lt;heavyforwardername&gt; group=per_sourcetype_thruput | stats values(series)</CODE></P> <P>This will give you a list of all the indexes that the HF has handled.</P> <P><CODE>index=_internal sourcetype=splunkd host=&lt;heavyforwardername&gt; group=per_index_thruput | stats values(series)</CODE></P> <P>That’ll return all the hosts pushing data through the HF.</P> <P><CODE>index=_internal sourcetype=splunkd host=&lt;heavyforwardername&gt; group=per_host_thruput | stats values(series)</CODE></P> <P>Of course, you can use other combinations of <CODE>| stats</CODE> to get the formatting you desire, but these are the best starting points to help you start looking in the right places.</P> <P><STRONG>edit</STRONG></P> <P>I've refined the search a little for you to help you find which of the sourcetypes are the noisiest:</P> <PRE><CODE>index=_internal sourcetype=splunkd host=&lt;heavyforwardername&gt; group=per_sourcetype_thruput | stats avg(kbps) as kbps by series | sort -kbps </CODE></PRE> <P>Good luck!</P> Fri, 27 Apr 2018 08:19:10 GMT jajung 2018-04-27T08:19:10Z https://community.splunk.com/t5/Getting-Data-In/Find-source-types-from-UF-to-HF/m-p/365567#M66547 <P>Hi all...one of my Heavy Forwarders is relaying much data, we are using it for an intermediate forwarding tier to Splunk Cloud. Many UFs are sending to this HF. </P> <P>I need to run a search to find what source types the Universal Forwarders are sending to this Heavy Forwarder. </P> <P>The Heavy forwarder is not running in preview mode. I've run plenty of searches that report both UF/HF activity to the SH....but I really want to understand what is going to this HF without bouncing it and putting it in local indexing/preview mode. </P> <P>Thanks for any input...!</P> Thu, 26 Apr 2018 19:07:51 GMT https://community.splunk.com/t5/Getting-Data-In/Find-source-types-from-UF-to-HF/m-p/365567#M66547 cpraz_ord 2018-04-26T19:07:51Z https://community.splunk.com/t5/Getting-Data-In/Find-source-types-from-UF-to-HF/m-p/365568#M66548 <P>Is HF internal logs are being forwarded to Splunk indexer?</P> Fri, 27 Apr 2018 06:25:07 GMT https://community.splunk.com/t5/Getting-Data-In/Find-source-types-from-UF-to-HF/m-p/365568#M66548 p_gurav 2018-04-27T06:25:07Z https://community.splunk.com/t5/Getting-Data-In/Find-source-types-from-UF-to-HF/m-p/365569#M66549 <P>Hi cpraz_ord,</P> <P>I've got a couple of queries that I like to use for this exact purpose. This is under the assumption that you are forwarding all logs from your on-premise HF into the cloud. It’s not automatic, but you’d start by looking at the _internal index.</P> <P>This will give you a list of all the sourcetypes that the HF has handled.</P> <P><CODE>index=_internal sourcetype=splunkd host=&lt;heavyforwardername&gt; group=per_sourcetype_thruput | stats values(series)</CODE></P> <P>This will give you a list of all the indexes that the HF has handled.</P> <P><CODE>index=_internal sourcetype=splunkd host=&lt;heavyforwardername&gt; group=per_index_thruput | stats values(series)</CODE></P> <P>That’ll return all the hosts pushing data through the HF.</P> <P><CODE>index=_internal sourcetype=splunkd host=&lt;heavyforwardername&gt; group=per_host_thruput | stats values(series)</CODE></P> <P>Of course, you can use other combinations of <CODE>| stats</CODE> to get the formatting you desire, but these are the best starting points to help you start looking in the right places.</P> <P><STRONG>edit</STRONG></P> <P>I've refined the search a little for you to help you find which of the sourcetypes are the noisiest:</P> <PRE><CODE>index=_internal sourcetype=splunkd host=&lt;heavyforwardername&gt; group=per_sourcetype_thruput | stats avg(kbps) as kbps by series | sort -kbps </CODE></PRE> <P>Good luck!</P> Fri, 27 Apr 2018 08:19:10 GMT https://community.splunk.com/t5/Getting-Data-In/Find-source-types-from-UF-to-HF/m-p/365569#M66549 jajung 2018-04-27T08:19:10Z