Hi @AK_Splunk 

can you run  query1 or query2 search in search head , hope one of helps your requriment 

Query1

index=_internal source="*metrics.log" group="tcpin_connections"
| dedup hostname
| rename host as "receiver host" hostname as "sender host"
| table _time "sender host" connectionType version sourceIp destPort ssl fwdType "receiver host" 

Query2

index=_internal source="*metrics.log" host IN (UF1,UF2) 
group=tcpout_connections
| stats count by host destIp destPort