topic Re: Forwarded UDP - Check which forwarder in Getting Data In

Forwarded UDP - Check which forwarder

SplunkFu — Mon, 08 Apr 2013 13:09:47 GMT

Hi there,

I'm hoping this is a simple question...

We have 50+ forwarders, and I'm trying to locate the forwarder that passes Syslog traffic to our Indexer, but I can't seem to find the information from Splunk's perspective, is there any where to find this information without looking at the configuration on the source?

Thanks and best regards.

Re: Forwarded UDP - Check which forwarder

krugger — Mon, 08 Apr 2013 14:24:58 GMT

I would suggest running:

netstat -nat | grep 514

If you know the índex which is receiving the syslog data you can query the metadata:

| metadata type=sources índex="yourindeX"

Re: Forwarded UDP - Check which forwarder

SplunkFu — Tue, 09 Apr 2013 12:09:31 GMT

Thanks for the response, however:

Running netstat on each box doesn't scale very well, as I don't know which host it is on
The metadata command appears to return nothing more than: firstTime; lastTime; recentTime; source; totalCount; type