Getting Data In

How to check traffic volume per heavy forwarder?

New Member

I plan to calculate the traffic volume in GB across all our HFs. Need this to ensure check which HF is getting max traffic as this is affecting. I was able to get memory, cpu and bandwidth utilization from index= _interospection and index=_internal

Labels (1)
0 Karma

index=_internal host IN ("yourheavyforwarders") group=per_index_thruput | stats sum(kb) as kb by host
| eval GB=round(kb/1024/1024,2) | fields - kb

Note: if you want to exclude internal indexes which are starting with _(underscore), you can use below search

index=_internal host IN ("yourheavyforwarders") group=per_index_thruput series!=_* | stats sum(kb) as kb by host
| eval GB=round(kb/1024/1024,2) | fields - kb


If this helps, give a like below.
0 Karma


If you are looking for total volume sent (including _internal) and not just license usage here is a good search:

index=_internal sourcetype=splunkd group=tcpin_connections (connectionType=cooked OR connectionType=cookedSSL) fwdType=* guid=* 
| eval dest_uri = host.":".destPort 
| stats values(fwdType) as forwarder_type, latest(version) as version, values(arch) as arch, dc(dest_uri) as dest_count, values(os) as os, max(_time) as last_connected, sum(kb) as new_sum_kb, sparkline(avg(tcp_KBps), 1m) as avg_tcp_kbps_sparkline, avg(tcp_KBps) as avg_tcp_kbps, avg(tcp_eps) as avg_tcp_eps by guid, hostname 
| eval hostname = upper(hostname)

This provides quite a bit of extra info. You can convert kb to GB as needed.

0 Karma


Hi hkumar26,
see Splunk Distributed Monitoring Console App and you can find your searches.

0 Karma

Ultra Champion

do you mean license usage? e.g. raw data received by indexers through Heavy Forwarders?

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...