topic Re: find out which Splunk server received the event. in Splunk Enterprise

find out which Splunk server received the event.

rabrahaham — Mon, 25 Jan 2021 06:30:04 GMT

I all as an architect sometimes I find myself in environment where the inputs are misconfigured and splunk servers are receiving traffic directly. For example the search head and indexer receiving traffic directly even if a syslog server/HF is present in the environment. Is there a search with which I can find out each source type and which Splunk server is receiving the logs and forwarding it to the indexer layer. This will really help in resolving issues.

Thanks

Re: find out which Splunk server received the event.

richgalloway — Mon, 25 Jan 2021 18:28:36 GMT

Forwarding is transparent so there's no indication of where an event was forwarded from (unless you've taken actions to add something).

Check your search heads and indexers for inputs.conf files and remove any TCP or UDP inputs.

Re: find out which Splunk server received the event.

scelikok — Mon, 25 Jan 2021 20:27:21 GMT

Hi @rabrahaham,

You can find your forwarders destinations using below search, normally you should not see an address other than indexer or heavy forwarder.

index=_internal component=TcpOutputProc | stats count by idx