https://community.splunk.com/t5/Getting-Data-In/determining-where-an-event-originated/m-p/60294#M11945 <P>In addition to @dskillman's response... You can use "btool" to quickly list all the "inputs.conf" files in your instance (as you could have many apps). </P> <P>Docs are <A href="http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurations">http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurations</A></P> <P>An example of the command would be (from you $SPLUNK_HOME/bin directory): </P> <P><CODE>./splunk cmd btool inputs list</CODE></P> <P>If your forwarders are "turned off" I would recommend looking for local "file monitors" (i.e. on the system you're on) and UDP/TCP ports as inputs.</P> Fri, 14 Sep 2012 15:02:13 GMT MHibbin 2012-09-14T15:02:13Z https://community.splunk.com/t5/Getting-Data-In/determining-where-an-event-originated/m-p/60292#M11943 <P>Hi,</P> <P>I have some syslog messages that I want to turn off from my sandbox. They are coming in from 3 potential servers. I removed the logfile form the inputs.conf, and bounced the forwarders, but they are still coming in. Since the host on these messages point to the originating device (not the forwarder host), how can I determine where they are coming from? I stopped each of the forwarders, and I still see them coming in. </P> Fri, 14 Sep 2012 13:59:29 GMT https://community.splunk.com/t5/Getting-Data-In/determining-where-an-event-originated/m-p/60292#M11943 a212830 2012-09-14T13:59:29Z https://community.splunk.com/t5/Getting-Data-In/determining-where-an-event-originated/m-p/60293#M11944 <P>Sounds like you have some local inputs on your indexer. What does your inputs.conf look like on your indexer? </P> Fri, 14 Sep 2012 14:55:17 GMT https://community.splunk.com/t5/Getting-Data-In/determining-where-an-event-originated/m-p/60293#M11944 dskillman 2012-09-14T14:55:17Z https://community.splunk.com/t5/Getting-Data-In/determining-where-an-event-originated/m-p/60294#M11945 <P>In addition to @dskillman's response... You can use "btool" to quickly list all the "inputs.conf" files in your instance (as you could have many apps). </P> <P>Docs are <A href="http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurations">http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Usebtooltotroubleshootconfigurations</A></P> <P>An example of the command would be (from you $SPLUNK_HOME/bin directory): </P> <P><CODE>./splunk cmd btool inputs list</CODE></P> <P>If your forwarders are "turned off" I would recommend looking for local "file monitors" (i.e. on the system you're on) and UDP/TCP ports as inputs.</P> Fri, 14 Sep 2012 15:02:13 GMT https://community.splunk.com/t5/Getting-Data-In/determining-where-an-event-originated/m-p/60294#M11945 MHibbin 2012-09-14T15:02:13Z https://community.splunk.com/t5/Getting-Data-In/determining-where-an-event-originated/m-p/60295#M11946 <P>What are the host/sourcetype/source/index associated with the events ?</P> <P>If this is syslog, or if the host is extracted from the event, maybe, you may have a port open accepting data ( check tcp or udp inputs)</P> Fri, 14 Sep 2012 15:16:05 GMT https://community.splunk.com/t5/Getting-Data-In/determining-where-an-event-originated/m-p/60295#M11946 yannK 2012-09-14T15:16:05Z