Re: How do you build a search that gets a list of ...

guheal · ‎11-25-2018

Can you help me make a search/query so I can get a list of forwarders using SSL with successful connections?

zrxcrasher · ‎10-07-2019

I am working on the following which gives a more complete picture. Downloading to XLS and then turning on filtering allows you to easily see OS type, ForwarderType, Version, lastIndexer communicated with, etc.

index=_internal source=*metrics.log component=Metrics group=tcpin_connections
| dedup hostname
| table hostname, sourceIp, os, arch, fwdType, version, ssl, guid, lastIndexer, _time
| sort hostname

mstjohn_splunk · ‎11-26-2018

Hi @guheal,

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

inventsekar · ‎11-25-2018

This works fine on my Splunk 7.0.3
index=_internal source=*metrics.log group=tcpin_connections ssl=true

To have the forwarder and the connect time as a table -
index=_internal source=*metrics.log group=tcpin_connections ssl=true | table sourceHost _time

How do you build a search that gets a list of forwarders using SSL with successful connections?

Splunk Observability Cloud | Customer Survey!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

Starting With Observability: OpenTelemetry Best Practices