Hi there,
I'm hoping this is a simple question...
We have 50+ forwarders, and I'm trying to locate the forwarder that passes Syslog traffic to our Indexer, but I can't seem to find the information from Splunk's perspective, is there any where to find this information without looking at the configuration on the source?
Thanks and best regards.
I would suggest running:
netstat -nat | grep 514
If you know the índex which is receiving the syslog data you can query the metadata:
| metadata type=sources índex="yourindeX"
Thanks for the response, however:
Running netstat on each box doesn't scale very well, as I don't know which host it is on
The metadata command appears to return nothing more than: firstTime; lastTime; recentTime; source; totalCount; type