I created this simple report for work that gives management an simple view of all the devices that have the Splunk Forwarder sending data, along with the version, type, and amount of data being sent. Here is the report:

index=_internal source=*metrics.log group=tcpin_connections
| eval sourceHost=if(isnull(hostname), sourceHost,hostname)
| rename connectionType as Type
| eval Type=case(fwdType=="uf","Universal Forwarder", fwdType=="lwf", "lf",fwdType=="full", "Heavy Forwarder", connectType=="cooked" or connectType=="cookedSSL","Splunk Forwarder", connectType=="raw" or connectType=="rawSSL","Legacy")
| rename version AS "Version", sourceIp AS "Source IP", sourceHost AS "Host", destPort AS "Port"
| fields Type, "Source IP", Host, Port, kb, tcp_eps, tcp_Kprocessed, tcp_KBps, splunk_server, Version
| eval Hour=relative_time(_time,"@h")
| stats avg(tcp_KBps), sum(tcp_eps), sum(tcp_Kprocessed), sum(kb), BY Hour, Type, "Source IP", Host, Port, Version
| fieldformat Hour=strftime(Hour,"%x %Hh")

