powershell command to check if splunk is forwardin...

LinkLoop · ‎01-29-2025

Is there a powershell command to find out if splunk is indeed forwarding logs to splunk console? I can check if agent is installed andrunning but how about forwarding?

which log should i check for?

tscroggins · ‎02-09-2025

Hi @LinkLoop,

You can verify Splunk is connected to outputs with the list forward-server command:

& "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" list forward-server -auth admin:password

Active forwards:
        splunk.example.com:9997 (ssl)
Configured but inactive forwards:
        None

The command requires authentication, so you'll need to know the local Splunk admin username and password defined at install time.

If the local management port is disabled, the command will not be available. You can otherwise search local logs for forwarding activity:

Select-String -Path "C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log" -Pattern "Connected to idx="

Select-String -Path "C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log" -Pattern "group=per_index_thruput, series=`"_internal`""

powershell command to check if splunk is forwarding logs to splunk console

administration

installation

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation