Could someone help me find out whether i am gettin...

vikkysplunk · ‎03-04-2019

Hello, Please could someone help me find out whether i am getting data from the universal forwarder to the heavy forwarder?

Note : I don't have UF and Indexers, Search head CLI access.

Thanks.

woodcock · ‎03-05-2019

Try this:

|tstats count values(source) where (index=* OR index=_*) AND host="YourHostHere" BY sourcetype

If it does not show, see if you are using the correct YourHostHere with a broader search like this:

|tstats count values(source) where (index=* OR index=_*) BY host

Be sure to check both the original host and your HF host.

tsaikumar009 · ‎03-05-2019

| tstats count where index=* host=UFHOSTNAME by index,source,sourcetype

by the above query you will be able to see what are all the logs you are looking from the required Universal forwarder on search head. Then you can understand if the intended data is flowing through UF-->HF-->Indexer

damann · ‎03-05-2019

With something like that |tstats count where index=* by host you will get an overview which hosts are active.
Do you know your network and which hosts have a UF installed or which hosts work as a Heavy Forwarder?

bishtk · ‎03-25-2020

@damann thank you

Could someone help me find out whether i am getting data from universal forwarder to heavy forwarder?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!