Hi
In Distributed Monitoring Console you can find a dashboard panel that list forwarder's connections.

| inputlookup dmc_forwarder_assets 
| eval avg_tcp_kbps = if (status == "missing", "N/A", avg_tcp_kbps) 
| fields hostname status avg_tcp_kbps
| where avg_tcp_kbps>threeshold

From this search you can find the Average kb/s and put a threeshold alert.

Bye.
Giuseppe

from an answer by @burwell at the post - Here's what I do to detect throttled forwarders. I have a scheduled search for last 4 hours (-240m to now) and then alert for any events:

 index=_internal " INFO " " throttled" NOT debug source=*splunkd.log*  | dedup host |sort host|  table host _raw

This gives me a nice table per host and I can see the hosts and what the thruput is that is getting throttled. Example output:

 foo1.host.com        10-22-2017 18:26:28.131 +0000 INFO ThruputProcessor - Current data throughput (258 kb/s) has reached maxKBps. As a result, data forwarding may be throttled. Consider increasing the value of maxKBps in limits.conf.
 foo2.host.com        10-22-2017 18:29:28.324 +0000 INFO ThruputProcessor - Current data throughput (512 kb/s) has reached maxKBps. As a result, data forwarding may be throttled. Consider increasing the value of maxKBps in limits.conf.