https://community.splunk.com/t5/Splunk-Search/query-to-find-the-forwarders-sending-too-much-data/m-p/303239#M91235 <P>Hi kteng,2024<BR /> | stats count will give you count of events but not how large the events are.<BR /> considering each forwarder is on a host and you would like to see which host sends the most data (in volume not count) you can look at the license master. here's a sample search to run manually as well:<BR /> earliest=-1d@d latest=@d index=_internal source=<EM>license_usage.log</EM> type=Usage<BR /> | stats sum(b) AS Bytes by h<BR /> | eval GB = Bytes/1024/1024/1024<BR /> | table h GB<BR /> | sort -GB<BR /> | addcoltotals</P> <P>you can play with earliest and latest to pick your time or just puse time picker<BR /> you can also filter by other parameters then h<BR /> i = index<BR /> h = host<BR /> st = sourcetype</P> <P>Cheers</P> Tue, 29 Sep 2020 13:28:07 GMT adonio 2020-09-29T13:28:07Z https://community.splunk.com/t5/Splunk-Search/query-to-find-the-forwarders-sending-too-much-data/m-p/303238#M91234 <P>Hi,</P> <P>Below is the query i am using to find the forwarders sending more data than others for a specific sourcetype</P> <P>index=index-name sourcetype=sourcetype-name | stats count by host | sort - count</P> <P>is the above query correct ?</P> Tue, 28 Mar 2017 14:51:28 GMT https://community.splunk.com/t5/Splunk-Search/query-to-find-the-forwarders-sending-too-much-data/m-p/303238#M91234 kteng2024 2017-03-28T14:51:28Z https://community.splunk.com/t5/Splunk-Search/query-to-find-the-forwarders-sending-too-much-data/m-p/303239#M91235 <P>Hi kteng,2024<BR /> | stats count will give you count of events but not how large the events are.<BR /> considering each forwarder is on a host and you would like to see which host sends the most data (in volume not count) you can look at the license master. here's a sample search to run manually as well:<BR /> earliest=-1d@d latest=@d index=_internal source=<EM>license_usage.log</EM> type=Usage<BR /> | stats sum(b) AS Bytes by h<BR /> | eval GB = Bytes/1024/1024/1024<BR /> | table h GB<BR /> | sort -GB<BR /> | addcoltotals</P> <P>you can play with earliest and latest to pick your time or just puse time picker<BR /> you can also filter by other parameters then h<BR /> i = index<BR /> h = host<BR /> st = sourcetype</P> <P>Cheers</P> Tue, 29 Sep 2020 13:28:07 GMT https://community.splunk.com/t5/Splunk-Search/query-to-find-the-forwarders-sending-too-much-data/m-p/303239#M91235 adonio 2020-09-29T13:28:07Z https://community.splunk.com/t5/Splunk-Search/query-to-find-the-forwarders-sending-too-much-data/m-p/303240#M91236 <P>Firstly, I would use a tstats for this (using only metadata fields) type of queries.</P> <PRE><CODE>| tstasts count WHERE index=index-name sourcetype=sourcetype-name by host | sort - count </CODE></PRE> <P>Second, when you say more data, it could be more number of events or more amount of data being sent. You got the query for number of events. For amount of data, you would need to user license usage logs, something like this</P> <PRE><CODE>index=_internal source=*license_usage.log type=Usage idx=index-name st=sourcetype-name | stats sum(b) as usage by h | sort -usage </CODE></PRE> Tue, 28 Mar 2017 15:01:16 GMT https://community.splunk.com/t5/Splunk-Search/query-to-find-the-forwarders-sending-too-much-data/m-p/303240#M91236 somesoni2 2017-03-28T15:01:16Z