Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Hosts sending logs to an UF

wvalente
Explorer
‎08-08-2018 05:45 PM

Dears,

I have one UF that is receiving logs from many servers. This UF forward logs to my indexer.

How can I see which devices are being sent from this UF?

I tried the following search:

index=_internal host=myforwarder group=tcpin_connections | stats sum(kb) by sourceIp

Is there any other way?

Thanks a lot.

Tags (1)
Reply

renjith_nair
SplunkTrust
SplunkTrust
‎08-08-2018 05:55 PM

Is it a UF or HF? Because UF sends the logs to an HF and HF then forwards to indexer. Nevertheless, if you want to list only the UFs, then index="_internal" source="*metrics.log*" group=tcpin_connections fwdType=uf should work

Happy Splunking!
Reply
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...