Getting Data In

Forwarded UDP - Check which forwarder

SplunkFu
Path Finder

Hi there,

I'm hoping this is a simple question...

We have 50+ forwarders, and I'm trying to locate the forwarder that passes Syslog traffic to our Indexer, but I can't seem to find the information from Splunk's perspective, is there any where to find this information without looking at the configuration on the source?

Thanks and best regards.

Tags (3)
0 Karma

krugger
Communicator

I would suggest running:

netstat -nat | grep 514

If you know the índex which is receiving the syslog data you can query the metadata:

| metadata type=sources índex="yourindeX"

0 Karma

SplunkFu
Path Finder

Thanks for the response, however:

  1. Running netstat on each box doesn't scale very well, as I don't know which host it is on

  2. The metadata command appears to return nothing more than: firstTime; lastTime; recentTime; source; totalCount; type

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...