Is there a way to see the originating forwarder for a specfic event? I haven't found any internal/metadata fields. There are scenarios where it would be interesting to pinpoint the exact intermediate forwarder. Something like "splunk_server" but for forwarders.
I finally found a way to achieve this in another thread: http://answers.splunk.com/answers/1453/how-do-i-add-metadata-to-events-coming-from-a-splunk-forwarde...
You need to manually add the metadata field, but it should suffice.
I finally found a way to achieve this in another thread: http://answers.splunk.com/answers/1453/how-do-i-add-metadata-to-events-coming-from-a-splunk-forwarde...
You need to manually add the metadata field, but it should suffice.
No official comment here? This is very useful especially if one has a chain of forwarders and want to see where the event came in, which forwarder passed it on etc.