Hi,
I'd lilke to create a detailed report with info including the type of forwarder, the average KB/s, the OS, the IP, the splunk version but also with information to which exact index the forwarder forwards to. Is it possible to recreate the search from the monitoring console for forwarder instance and use it somehow to connect it to each index?
`dmc_get_forwarder_tcpin` hostname=*
| eval source_uri = hostname.":".sourcePort
| eval dest_uri = host.":".destPort
| eval connection = source_uri."->".dest_uri
| stats values(fwdType) as fwdType, values(sourceIp) as sourceIp, latest(version) as version, values(os) as os, values(arch) as arch, dc(dest_uri) as dest_count, dc(connection) as connection_count, avg(tcp_KBps) as avg_tcp_kbps, avg(tcp_eps) as avg_tcp_eps by hostname, guid
| eval avg_tcp_kbps = round(avg_tcp_kbps, 2)
| eval avg_tcp_eps = round(avg_tcp_eps, 2)
| `dmc_rename_forwarder_type(fwdType)`
| rename hostname as Instance, fwdType as "Forwarder Type", sourceIp as IP, version as "Splunk Version", os as OS, arch as Architecture, guid as GUID, dest_count as "Receiver Count", connection_count as "Connection Count", avg_tcp_kbps as "Average KB/s", avg_tcp_eps as "Average Events/s"
And probably somehow join it with
| tstats
count
values(host) AS host
WHERE index=*
BY index
The issue I see is that it searches dmc_get_forwarder_tcpin which is equal to index=_internal sourcetype=splunkd group=tcpin_connections (connectionType=cooked OR connectionType=cookedSSL) fwdType=* guid=* and I cannot find the indexes there. How can i connect it to each index?
