Over the last week or so, my license usage has gone up by around 10 gig. I have looked in our Deployment Monitor App and when drilling down, I can't find which forwarder is sending the increased amounts of data, I have broken it down to what sourcetype it is, but what I really need is the host or hosts.
does anyone have a query that can provide this info ?
index=_internal source=*metrics.log group=tcpin_connections | eval sourceHost=coalesce(sourceHost,hostname) | stats sum(kb) AS kb_forwarded by sourceHost | sort 3 -kb_forwarded
This will show you the three most active forwarders.
Thanks guys both are very helpful to me in different ways, I appreciate you time 🙂
I like this search as it gives me source, sourcetype, host and volume in a nice table which can then be sorted by whichever column you want (defaults to volume):
index=internal source=*licenseusage.log | eval MB=b/1024/1024 | stats sum(MB) by s,st,h | rename s AS Source st AS Sourcetype h AS Host sum(MB) AS Volume(MB) | sort -Volume(MB) | head 50