where does the sourceHost come from in *metrics.lo...

wegscd · ‎09-01-2015

I'm working on some reporting, and found an anomaly in the data:

index=_internal source=*metrics.log group=tcpin_connections earliest="8/20/2015:00:00:00" latest="8/28/2015:00:00:00"
| eval cutoff=strptime("08/27/2015:00:00:00", "%m/%d/%Y:%H:%M:%S")
| eval last=if(_time<cutoff, 0, 1)
| eval pKb=if(last==0,kb,0) 
| eval lKb=if(last==0,0,kb) 
| stats values(hostname) as hostname, values(sourceHost) as sourceHost, sum(pKb) as pKb, sum(lKb) as lKb by guid
| eval ratio=lKb/(pKb/7)
| sort hostname

I'm getting some hostname/sourceHost sets with multiple guids. Trying to figure out if someone cloned a machine with $SPLUNK_HOME/etc/instance.cfg intact, or if Splunk UF was reinstalled on that machine over the reporting period.

Where does the sourceHost field come from? Is it provided by the UF, or filled in by the Splunk indexer?

somesoni2 · ‎09-03-2015

The entries are generated by the indexer based on the information sent to Indexer by UF (during heartbeat)

wegscd · ‎09-08-2015

Where does the sourceHost field come from? Is it provided by the UF, or filled in by the Splunk indexer?

somesoni2 · ‎09-08-2015

It is provided by UF during it's hearbeat information sent to Indexer.

where does the sourceHost come from in *metrics.log group=tcp_connections?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms