I'm working on some reporting, and found an anomaly in the data:
index=_internal source=*metrics.log group=tcpin_connections earliest="8/20/2015:00:00:00" latest="8/28/2015:00:00:00"
| eval cutoff=strptime("08/27/2015:00:00:00", "%m/%d/%Y:%H:%M:%S")
| eval last=if(_time<cutoff, 0, 1)
| eval pKb=if(last==0,kb,0)
| eval lKb=if(last==0,0,kb)
| stats values(hostname) as hostname, values(sourceHost) as sourceHost, sum(pKb) as pKb, sum(lKb) as lKb by guid
| eval ratio=lKb/(pKb/7)
| sort hostname
I'm getting some hostname/sourceHost sets with multiple guids. Trying to figure out if someone cloned a machine with $SPLUNK_HOME/etc/instance.cfg intact, or if Splunk UF was reinstalled on that machine over the reporting period.
Where does the sourceHost field come from? Is it provided by the UF, or filled in by the Splunk indexer?
The entries are generated by the indexer based on the information sent to Indexer by UF (during heartbeat)
Where does the sourceHost field come from? Is it provided by the UF, or filled in by the Splunk indexer?
It is provided by UF during it's hearbeat information sent to Indexer.