Splunk Search

How to determine which forwarder sent data without relying on host?

jeff
Contributor

I have a pool of identically configured rsyslog servers behind a load balancer. Each hosts' data is written to a log file in a host-specific directory (/var/log/rsyslog/[date]/[host]/message.log). Splunk Universal Forwarder is configured on each rsyslog server to read log data, setting host based on the directory name (host_segment).

When the data reaches the Splunk indexer, the host is properly configured to the source of the log data, and the splunk_server is set to the indexer. Is there something that will tell me which of the rsyslog servers actually sent the data? If it's there I'm not finding it.

Tags (3)
0 Karma

Takajian
Builder

I do not think each events contain the information where the event come from. But following internal log contains which forwarder send data.

/opt/splunk/var/log/metrics.log

If this does not help, please let me know more detail what you are looking for.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...