Splunk Enterprise

Hosts sending logs to an UF



I have one UF that is receiving logs from many servers. This UF forward logs to my indexer.

How can I see which devices are being sent from this UF?

I tried the following search:

index=_internal host=myforwarder group=tcpin_connections | stats sum(kb) by sourceIp

Is there any other way?

Thanks a lot.

Tags (1)


Is it a UF or HF? Because UF sends the logs to an HF and HF then forwards to indexer. Nevertheless, if you want to list only the UFs, then index="_internal" source="*metrics.log*" group=tcpin_connections fwdType=uf should work

Happy Splunking!
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...