Hi @AK_Splunk
can you run query1 or query2 search in search head , hope one of helps your requriment
Query1
index=_internal source="*metrics.log" group="tcpin_connections"
| dedup hostname
| rename host as "receiver host" hostname as "sender host"
| table _time "sender host" connectionType version sourceIp destPort ssl fwdType "receiver host"
Query2
index=_internal source="*metrics.log" host IN (UF1,UF2)
group=tcpout_connections
| stats count by host destIp destPort
