How do you build a search that gets a list of forwarders using SSL with successful connections?

New Member

Can you help me make a search/query so I can get a list of forwarders using SSL with successful connections?

Tags (2)
0 Karma

Loves-to-Learn Lots

I am working on the following which gives a more complete picture. Downloading to XLS and then turning on filtering allows you to easily see OS type, ForwarderType, Version, lastIndexer communicated with, etc.

index=_internal source=*metrics.log component=Metrics group=tcpin_connections
| dedup hostname
| table hostname, sourceIp, os, arch, fwdType, version, ssl, guid, lastIndexer, _time
| sort hostname

0 Karma

Splunk Employee
Splunk Employee

Hi @guheal,

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma

Super Champion

This works fine on my Splunk 7.0.3
index=_internal source=*metrics.log group=tcpin_connections ssl=true

To have the forwarder and the connect time as a table -
index=_internal source=*metrics.log group=tcpin_connections ssl=true | table sourceHost _time

Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...