Unable to perform the following search provided by Splunk to check forwarder certificate package version:
index=_internal source=*metrics.log group=tcpout_connections
name=splunkcloud*
| stats latest(_time) AS _time latest(name) AS name by host
| rex field=name "(?<output_group>splunkcloud_202[23456789]\d+)\_"
| eval fwd_config=if(isnotnull(output_group),“new”,“legacy”)
| stats count by _time host output_group fwd_config
| reltime
| fields _time reltime host output_group fwd_config
| sort 0 fwd_config
... View more