Archive
Highlighted

Is there a query for the indexers to find the nosiest forwarders in the last 24 hours?

New Member

We need to find the most talkative indexers within Splunk for the last 24 hour period.

Tags (1)
0 Karma
Highlighted

Re: Is there a query for the indexers to find the nosiest forwarders in the last 24 hours?

SplunkTrust
SplunkTrust

This might help you to find the amount of data sent by forwarders

index=_internal sourcetype=splunkd group=per_host_thruput earliest=-24h| stats sum(kb) as total by series|rename seties as Host|sort - total
0 Karma