I have 3 indexers and 1 search head. From the search head is it possible any way to determine how many are the UF or Forwarders configured to my Splunk Architecture.
I am into an assignment and the individual previously working has left. Now I am totally messed up so as to determine howmuch and from where the data is pushed into Splunk environment.
Thanks.
Vikram.
Look at the metadata command, over a given period it will show you what hosts are sending data to Splunk.
| metadata type=hosts index=*
| fields - firstTime,totalCount,type
| convert ctime(lastTime) ctime(recentTime)
| table host ageInSeconds lastTime recentTime
You can also use type=sourcetypes here and see relative sourcetypes.
See docs here : https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Metadata
Additionally, you can look at forwarder management on the DMC if you are using a more recent version and it will give you additional information such as topology and forwarder types coming in.
You can also look through _internal index and build from there..
Look at the metadata command, over a given period it will show you what hosts are sending data to Splunk.
| metadata type=hosts index=*
| fields - firstTime,totalCount,type
| convert ctime(lastTime) ctime(recentTime)
| table host ageInSeconds lastTime recentTime
You can also use type=sourcetypes here and see relative sourcetypes.
See docs here : https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Metadata
Additionally, you can look at forwarder management on the DMC if you are using a more recent version and it will give you additional information such as topology and forwarder types coming in.
You can also look through _internal index and build from there..