Hi,
Does anybody know what could be the cause why the tcpin_connections (group) is missing entirely from _internal index?
This search for checking the Forwarders (see below) worked just fine in the past. Currently our server and Forwarders run 6.5.0. Now it says that 'No results are found' (as there is no tcpin_connections group). tcpout_connections group is visible though.
Also netstat -an shows established connections for port 9997 on Linux (Splunk) server
index=_internal source=*metrics.log group=tcpin_connections | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | rename connectionType as connectType | eval connectType=case(fwdType=="uf","Universal Forwarder", fwdType=="lwf", "lightwt fwder",fwdType=="full", "heavy fwder", connectType=="cooked" or connectType=="cookedSSL","Splunk fwder", connectType=="raw" or connectType=="rawSSL","legacy fwder") | eval version=if(isnull(version),"pre 4.2",version) | rename version as Ver | fields connectType sourceIp sourceHost destPort kb tcp_eps tcp_Kprocessed tcp_KBps splunk_server Ver os arch | eval Indexer= splunk_server | eval Hour=relative_time(_time,"@h") | stats avg(tcp_KBps) sum(tcp_eps) sum(tcp_Kprocessed) sum(kb) by sourceHost sourceIp os arch connectType destPort Indexer Ver | sort Ver
--
Thanks in advance for Support!
... View more