I have a pool of identically configured rsyslog servers behind a load balancer. Each hosts' data is written to a log file in a host-specific directory (/var/log/rsyslog/[date]/[host]/message.log). Splunk Universal Forwarder is configured on each rsyslog server to read log data, setting host based on the directory name (host_segment).
When the data reaches the Splunk indexer, the host is properly configured to the source of the log data, and the splunk_server is set to the indexer. Is there something that will tell me which of the rsyslog servers actually sent the data? If it's there I'm not finding it.
I do not think each events contain the information where the event come from. But following internal log contains which forwarder send data.
/opt/splunk/var/log/metrics.log
If this does not help, please let me know more detail what you are looking for.