This is part of what the SoS app uses to update its forwarders lookup file:
index=_internal source=*metrics.log* group=tcpin_connections | regex hostname!="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | eval sos_server=hostname | stats latest(build) AS build latest(arch) AS cpu_arch latest(fwdType) AS forwarder_type latest(os) AS os_name latest(version) AS version by sos_server
I think this is what you are looking for:
index=_internal sourcetype=splunkd destPort!="-"| stats sparkline count by hostname, sourceHost, host, destPort, version | rename destPort as "Destination Port" | rename host as "Indexer" | rename sourceHost as "Forwarder IP" | rename version as "Splunk Forwarder Version" | rename hostname as "Forwarder Host Name" | rename sparkline as "Traffic Frequency" | sort - count
I used your solution to solve my question here.. Thanks for posting this!
https://answers.splunk.com/answers/379013/alert-if-a-forwarder-service-stops.html
If you can't do SoS, then here's a simple search against the _internal index that works for me;
index=_internal sourcetype=splunkd version source=*metrics.log | table hostname os version build
This is part of what the SoS app uses to update its forwarders lookup file:
index=_internal source=*metrics.log* group=tcpin_connections | regex hostname!="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | eval sos_server=hostname | stats latest(build) AS build latest(arch) AS cpu_arch latest(fwdType) AS forwarder_type latest(os) AS os_name latest(version) AS version by sos_server
Many thanks. That worked