- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could someone help me find out whether i am getting data from universal forwarder to heavy forwarder?
Hello, Please could someone help me find out whether i am getting data from the universal forwarder to the heavy forwarder?
Note : I don't have UF and Indexers, Search head CLI access.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
|tstats count values(source) where (index=* OR index=_*) AND host="YourHostHere" BY sourcetype
If it does not show, see if you are using the correct YourHostHere with a broader search like this:
|tstats count values(source) where (index=* OR index=_*) BY host
Be sure to check both the original host and your HF host.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| tstats count where index=* host=UFHOSTNAME by index,source,sourcetype
by the above query you will be able to see what are all the logs you are looking from the required Universal forwarder on search head. Then you can understand if the intended data is flowing through UF-->HF-->Indexer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With something like that |tstats count where index=* by host you will get an overview which hosts are active.
Do you know your network and which hosts have a UF installed or which hosts work as a Heavy Forwarder?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@damann thank you
