https://community.splunk.com/t5/Getting-Data-In/How-can-we-find-the-Heavy-Forwarders-data-flow/m-p/432576#M75667 <P>Assuming that you named your HF tier differently than your Indexer tier, you can use a search like this:</P> <PRE><CODE>index=_internal AND component=Metrics tcpout* | stats values(name) dc(name) AS options BY host | sort 0 options </CODE></PRE> Thu, 12 Jul 2018 03:24:28 GMT woodcock 2018-07-12T03:24:28Z https://community.splunk.com/t5/Getting-Data-In/How-can-we-find-the-Heavy-Forwarders-data-flow/m-p/432572#M75663 <P>We have two Heavy Forwarders through which quite a bit of data is flowing through. We have access to the back end, such as to the metrics logs but not to the UI. How can we find out the daily amount of data which goes through these heavy forwarders?</P> Wed, 11 Jul 2018 17:18:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-we-find-the-Heavy-Forwarders-data-flow/m-p/432572#M75663 ddrillic 2018-07-11T17:18:03Z https://community.splunk.com/t5/Getting-Data-In/How-can-we-find-the-Heavy-Forwarders-data-flow/m-p/432573#M75664 <P>YOu can run CLI searches to those metrics logs to get the data you want (provided you've Splunk credentials with permission to view _internal index).<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.1.1/Troubleshooting/Aboutmetricslog">https://docs.splunk.com/Documentation/Splunk/7.1.1/Troubleshooting/Aboutmetricslog</A></P> Wed, 11 Jul 2018 17:56:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-we-find-the-Heavy-Forwarders-data-flow/m-p/432573#M75664 somesoni2 2018-07-11T17:56:35Z https://community.splunk.com/t5/Getting-Data-In/How-can-we-find-the-Heavy-Forwarders-data-flow/m-p/432574#M75665 <P>Most cheerful @somesoni2 - thank you.</P> Wed, 11 Jul 2018 18:17:47 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-we-find-the-Heavy-Forwarders-data-flow/m-p/432574#M75665 ddrillic 2018-07-11T18:17:47Z https://community.splunk.com/t5/Getting-Data-In/How-can-we-find-the-Heavy-Forwarders-data-flow/m-p/432575#M75666 <P>You can look in the metrics.log of the HWF how much they received.<BR /> And you can look on the next level indexer how much they received form the forwarders (and group them per type)</P> <P>example for the volume received by the indexers per forwarder type. (full = heavy forwarder)</P> <PRE><CODE> index=_internal host=*myindexer* source=*metrics.log* group=tcpin_connections fwdType| stats sum(kb) by hostname fwdType </CODE></PRE> Thu, 12 Jul 2018 00:09:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-we-find-the-Heavy-Forwarders-data-flow/m-p/432575#M75666 yannK 2018-07-12T00:09:02Z https://community.splunk.com/t5/Getting-Data-In/How-can-we-find-the-Heavy-Forwarders-data-flow/m-p/432576#M75667 <P>Assuming that you named your HF tier differently than your Indexer tier, you can use a search like this:</P> <PRE><CODE>index=_internal AND component=Metrics tcpout* | stats values(name) dc(name) AS options BY host | sort 0 options </CODE></PRE> Thu, 12 Jul 2018 03:24:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-we-find-the-Heavy-Forwarders-data-flow/m-p/432576#M75667 woodcock 2018-07-12T03:24:28Z https://community.splunk.com/t5/Getting-Data-In/How-can-we-find-the-Heavy-Forwarders-data-flow/m-p/632736#M108350 <P>Hi there，</P><P>i'm a new splunker</P><P>I'd like to know what's means of these search result, such as "management", "<SPAN>default-autolb-group:xxx.xxx.xxx.xxx:9997:3:1</SPAN>" i can understand there is my HF ip and port, but what's means of :3:1, I have seen :0:0, :0:1....</P><P>thanks in advance.</P><P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/1406">@woodcock</a>&nbsp;</P> Wed, 01 Mar 2023 09:08:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-we-find-the-Heavy-Forwarders-data-flow/m-p/632736#M108350 Zane 2023-03-01T09:08:37Z