I am working on the following which gives a more complete picture. Downloading to XLS and then turning on filtering allows you to easily see OS type, ForwarderType, Version, lastIndexer communicated with, etc.
index=_internal source=*metrics.log component=Metrics group=tcpin_connections
| dedup hostname
| table hostname, sourceIp, os, arch, fwdType, version, ssl, guid, lastIndexer, _time
| sort hostname
Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!
This works fine on my Splunk 7.0.3
index=_internal source=*metrics.log group=tcpin_connections ssl=true
To have the forwarder and the connect time as a table -
index=_internal source=*metrics.log group=tcpin_connections ssl=true | table sourceHost _time