Could someone help me find out whether i am gettin...

vikkysplunk · ‎03-04-2019

Hello, Please could someone help me find out whether i am getting data from the universal forwarder to the heavy forwarder?

Note : I don't have UF and Indexers, Search head CLI access.

Thanks.

woodcock · ‎03-05-2019

Try this:

|tstats count values(source) where (index=* OR index=_*) AND host="YourHostHere" BY sourcetype

If it does not show, see if you are using the correct YourHostHere with a broader search like this:

|tstats count values(source) where (index=* OR index=_*) BY host

Be sure to check both the original host and your HF host.

tsaikumar009 · ‎03-05-2019

| tstats count where index=* host=UFHOSTNAME by index,source,sourcetype

by the above query you will be able to see what are all the logs you are looking from the required Universal forwarder on search head. Then you can understand if the intended data is flowing through UF-->HF-->Indexer

damann · ‎03-05-2019

With something like that |tstats count where index=* by host you will get an overview which hosts are active.
Do you know your network and which hosts have a UF installed or which hosts work as a Heavy Forwarder?

bishtk · ‎03-25-2020

@damann thank you

Could someone help me find out whether i am getting data from universal forwarder to heavy forwarder?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation