HI I have a web UI connection into the Heavy Forwarder over port 8000.
Is there a way I can view a list of universal forwarders that are sending to this Heavy forwarder?
This will give list of universal fwds sending data:
index=_internal source=*metrics.log group=tcpin_connections fwdType="uf" earliest=-1h
| eval sourceHost=coalesce(hostname, sourceHost)
| fields _time connectionType sourceIp sourceHost destPort splunk_server version hostname
| stats latest(_time) as _time latest(*) as * by sourceHost
If this reply helps you, an upvote/like would be appreciated.
This will give list of universal fwds sending data:
index=_internal source=*metrics.log group=tcpin_connections fwdType="uf" earliest=-1h
| eval sourceHost=coalesce(hostname, sourceHost)
| fields _time connectionType sourceIp sourceHost destPort splunk_server version hostname
| stats latest(_time) as _time latest(*) as * by sourceHost
If this reply helps you, an upvote/like would be appreciated.