You may also want to use ./splunk list forward-server aswell in order to make sure that the index server is being seen by the forwarder.
You can also search the index=_internal host="splunk_forwarder_servername" to make sure that the forwarder is reaching the indexer . A good result would be seeing metric logs, this means that the forwarder is actively communicating with the index
... View more
There is likely to be an OS limit on how many files Splunk (or Splunk Forwarder) can have open at any one time. Don't forget to refer to OS documentation in order to up the limit for the user Splunk is running under. In linux land this would mean editing /etc/limits.conf for both root and the user in addition to restarting the host.
... View more
| eval network=if(cidrmatch("10.150.0.0/16",Source), "Vlan150", "Other") | top network limit=0
This is great way to separate out events based on a network and is documented in the splunk eval command at the below link.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval
... View more