yorokobi/gist:39dadf570689c4f9f0d1

## gistfile1.txt
index=_internal source="*metrics.lo*" group=tcpin_connections earliest=-7d latest=now
| eval sourceHost = if( isnull(hostname), sourceHost, hostname )
| dedup sourceHost
| eval connectionType=case(fwdType=="uf","Universal Forwarder", fwdType=="lwf", "Lightweight Forwarder",fwdType=="full", "Heavy Forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk forwarder", connectionType=="raw" or connectionType=="rawSSL","Legacy Forwarder")
| eval build = if( isnull(build), "N/A", build )
| eval version = if( isnull(version), "pre 4.2", version )
| eval guid = if( isnull(guid), sourceHost, guid )
| eval os = if( isnull(os), "N/A", os )
| eval arch = if( isnull(arch), "N/A", arch )
| rex field=guid mode=sed "s/-//g"
| eval guid = lower(guid)
| rex field=sourceHost "(?<sourceHost>[^\.]+)\.(?<sourceDomain>.+)"
| table connectionType sourceHost sourceDomain sourceIp build version os arch guid
| outputlookup createinapp=t splunk_forwarders.csv
	index=_internal source="metrics.lo" group=tcpin_connections earliest=-7d latest=now
	\| eval sourceHost = if( isnull(hostname), sourceHost, hostname )
	\| dedup sourceHost
	\| eval connectionType=case(fwdType=="uf","Universal Forwarder", fwdType=="lwf", "Lightweight Forwarder",fwdType=="full", "Heavy Forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk forwarder", connectionType=="raw" or connectionType=="rawSSL","Legacy Forwarder")
	\| eval build = if( isnull(build), "N/A", build )
	\| eval version = if( isnull(version), "pre 4.2", version )
	\| eval guid = if( isnull(guid), sourceHost, guid )
	\| eval os = if( isnull(os), "N/A", os )
	\| eval arch = if( isnull(arch), "N/A", arch )
	\| rex field=guid mode=sed "s/-//g"
	\| eval guid = lower(guid)
	\| rex field=sourceHost "(?<sourceHost>[^\.]+)\.(?<sourceDomain>.+)"
	\| table connectionType sourceHost sourceDomain sourceIp build version os arch guid
	\| outputlookup createinapp=t splunk_forwarders.csv