I have 2 universal forwarders sending data to 1 indexer. I want to search to see if one of the universal forwarders is actually sending data. How would I do that?
something like this should work. If you get any result means forwarders are sending data.
index=IndexWhereForwSendingData host=yourhost1 OR host=yourhost2
Typically the forwarder sends information which can be identified with the host field. So, search for everything, and you should see two hosts.
Yankees suck.