[Splunk] Forwarder Report with Stats

I created this simple report for work that gives management an simple view of all the devices that have the Splunk Forwarder sending data, along with the version, type, and amount of data being sent. Here is the report:

index=_internal source=*metrics.log group=tcpin_connections
| eval sourceHost=if(isnull(hostname), sourceHost,hostname)
| rename connectionType as Type
| eval Type=case(fwdType=="uf","Universal Forwarder", fwdType=="lwf", "lf",fwdType=="full", "Heavy Forwarder", connectType=="cooked" or connectType=="cookedSSL","Splunk Forwarder", connectType=="raw" or connectType=="rawSSL","Legacy")
| rename version AS "Version", sourceIp AS "Source IP", sourceHost AS "Host", destPort AS "Port"
| fields Type, "Source IP", Host, Port, kb, tcp_eps, tcp_Kprocessed, tcp_KBps, splunk_server, Version
| eval Hour=relative_time(_time,"@h")
| stats avg(tcp_KBps), sum(tcp_eps), sum(tcp_Kprocessed), sum(kb), BY Hour, Type, "Source IP", Host, Port, Version
| fieldformat Hour=strftime(Hour,"%x %Hh")

This is what it looks like: Forwarder Report

Let me know what you think!


Related Posts


Share on: Twitter | Facebook | Google+ | Email


comments powered by Disqus