Solved: Re: How to search which forwarder in my environmen...

AaronMoorcroft · ‎03-24-2015

Morning Guys

Over the last week or so, my license usage has gone up by around 10 gig. I have looked in our Deployment Monitor App and when drilling down, I can't find which forwarder is sending the increased amounts of data, I have broken it down to what sourcetype it is, but what I really need is the host or hosts.

does anyone have a query that can provide this info ?

lguinn2 · ‎03-24-2015

Try this

index=_internal source=*metrics.log group=tcpin_connections
| eval sourceHost=coalesce(sourceHost,hostname)
| stats sum(kb) AS kb_forwarded by sourceHost
| sort 3 -kb_forwarded

This will show you the three most active forwarders.

View solution in original post

glennpierce · ‎03-24-2015

I like this search as it gives me source, sourcetype, host and volume in a nice table which can then be sorted by whichever column you want (defaults to volume):
index=_internal source=*license_usage.log | eval MB=b/1024/1024 | stats sum(MB) by s,st,h | rename s AS Source st AS Sourcetype h AS Host sum(MB) AS Volume(MB) | sort -Volume(MB) | head 50

lguinn2 · ‎03-24-2015

Try this

index=_internal source=*metrics.log group=tcpin_connections
| eval sourceHost=coalesce(sourceHost,hostname)
| stats sum(kb) AS kb_forwarded by sourceHost
| sort 3 -kb_forwarded

This will show you the three most active forwarders.

AaronMoorcroft · ‎03-25-2015

Thanks guys both are very helpful to me in different ways, I appreciate you time 🙂

How to search which forwarder in my environment is sending the most data?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases