Splunk Search

Is there a way to search which heavy forwarder sent a log to the indexer?

galwood
New Member

Is there a way to search a log and figure out which heavy forwarder sent the log to the indexer?

0 Karma

jlanders
Path Finder

Had a need for this today. This search does the trick for me:

index=_internal (host=myheavyforwarder1 OR host=myheavyforwarder2 OR host=myheavyforwarder3) sourcetype=splunkd "group=tcpin_connections" component=Metrics | timechart span=30m dc(hostname) by host

From this, I can see the distinct count of hostnames flowing through each heavy forwarder...

jlanders
Path Finder

Btw, if you were to dig into these metrics, you could infer other things... like which logs went through which heavy forwarder by looking at group=per_source_thruput series="your source". The key is "infer" because your universal forwarders should load balance through your heavy forwarders and most logs will go through all of them.

With the combination of the per source thruput and a rough timeframe though, you could take a good guess.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I would say it depends on how you've setup log monitoring.

a)If you're not overriding the host, the host field in your log will denote the forwarder which is collected it.

your base search | stats count by host | table host

b) If you're overriding the host, then find the host (overridden) value in your logs and search for corresponding logging server in metrics logs

index=_internal sourcetype=splunkd source=*metrics.log group=per-host_thruput series="hostValueFromYourLog" | stats count by host | table host
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...