Hi,
I have some syslog messages that I want to turn off from my sandbox. They are coming in from 3 potential servers. I removed the logfile form the inputs.conf, and bounced the forwarders, but they are still coming in. Since the host on these messages point to the originating device (not the forwarder host), how can I determine where they are coming from? I stopped each of the forwarders, and I still see them coming in.
In addition to @dskillman's response... You can use "btool" to quickly list all the "inputs.conf" files in your instance (as you could have many apps).
An example of the command would be (from you $SPLUNK_HOME/bin directory):
./splunk cmd btool inputs list
If your forwarders are "turned off" I would recommend looking for local "file monitors" (i.e. on the system you're on) and UDP/TCP ports as inputs.
What are the host/sourcetype/source/index associated with the events ?
If this is syslog, or if the host is extracted from the event, maybe, you may have a port open accepting data ( check tcp or udp inputs)
Sounds like you have some local inputs on your indexer. What does your inputs.conf look like on your indexer?