I'd check a few things:
timestamps on the events - maybe they're old and you're chasing ghosts?
host and source of the events
receiving enabled on the indexer
search index=_internal source=*metrics.log* group=tcpin_connections for info around incoming forwarder connections
inputs enabled on the indexer
if source and inputs don't line up, check for props.conf/transforms.conf rewrites ( TRANSFORMS-foo in props.conf)
search index=_internal source=*metrics.log* thruput for clues where the indexer thinks it has throughput
... View more