I would like to know how do I find the distribution of all Universal forwarders in Splunk by os type (Unix, Windows, etc).
Is there a query that'll define this allocation.
index=_internal fwdType="*" | dedup hostname | stats count by os, version
Install the Deployment Monitor App on your deployment server.
There is a dashboard there with the information.
Hoping that either Deployment Monitor or Forwarder Managment would add a simple export option to a csv. Then it would be much easier to use the export to build a serverclass.conf without having to first write your own query in Splunk.
If this answered your question - please accept it. Thanks!