topic Re: Could someone help me find out whether i am getting data from universal forwarder to heavy forwarder? in Getting Data In

Could someone help me find out whether i am getting data from universal forwarder to heavy forwarder?

vikkysplunk — Tue, 05 Mar 2019 07:26:38 GMT

Hello, Please could someone help me find out whether i am getting data from the universal forwarder to the heavy forwarder?

Note : I don't have UF and Indexers, Search head CLI access.

Thanks.

Re: Could someone help me find out whether i am getting data from universal forwarder to heavy forwarder?

damann — Tue, 05 Mar 2019 15:02:06 GMT

With something like that |tstats count where index=* by host you will get an overview which hosts are active.
Do you know your network and which hosts have a UF installed or which hosts work as a Heavy Forwarder?

Re: Could someone help me find out whether i am getting data from universal forwarder to heavy forwarder?

tsaikumar009 — Tue, 05 Mar 2019 15:13:09 GMT

| tstats count where index=* host=UFHOSTNAME by index,source,sourcetype

by the above query you will be able to see what are all the logs you are looking from the required Universal forwarder on search head. Then you can understand if the intended data is flowing through UF-->HF-->Indexer

Re: Could someone help me find out whether i am getting data from universal forwarder to heavy forwarder?

woodcock — Wed, 06 Mar 2019 05:50:47 GMT

Try this:

|tstats count values(source) where (index=* OR index=_*) AND host="YourHostHere" BY sourcetype

If it does not show, see if you are using the correct YourHostHere with a broader search like this:

|tstats count values(source) where (index=* OR index=_*) BY host

Be sure to check both the original host and your HF host.

Re: Could someone help me find out whether i am getting data from universal forwarder to heavy forwarder?

bishtk — Thu, 26 Mar 2020 05:38:39 GMT

@damann thank you