https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110853#M23278 <P>nope, because the value in "host" is the wrong one (overridden value) and i need to ip or hostname of the forwarder where this came from.</P> Mon, 08 Sep 2014 11:56:22 GMT dominiquevocat 2014-09-08T11:56:22Z https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110843#M23268 <P>How do i get a list comprising the fields host, source for each forwarder.</P> <P>Background: the admins of the machines where the forwarder runs on seem to have made mistakes when adding a monitor and i would like to identify which ones are wrong and provide a clearing list.<BR /> The field that is wrong is unfortunately "host". By identifying which "host,source" by forwarder i can tell which forwarder needs to be corrected.</P> Thu, 04 Sep 2014 08:11:11 GMT https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110843#M23268 dominiquevocat 2014-09-04T08:11:11Z https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110844#M23269 <P>Try this</P> <PRE><CODE>|metasearch host=* | dedup source | table host, source </CODE></PRE> Thu, 04 Sep 2014 09:51:45 GMT https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110844#M23269 strive 2014-09-04T09:51:45Z https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110845#M23270 <P>I updated the question, sorry. The field that is wrong is "host"...</P> Thu, 04 Sep 2014 10:50:51 GMT https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110845#M23270 dominiquevocat 2014-09-04T10:50:51Z https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110846#M23271 <P>The above search should work for your needs. In case if you need splunk server details also then do this</P> <P><CODE>|metasearch host=* | dedup source | table host, source, splunk_server</CODE></P> Thu, 04 Sep 2014 11:19:07 GMT https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110846#M23271 strive 2014-09-04T11:19:07Z https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110847#M23272 <P>Are you configuring what should be host in inputs.conf? If not the host name set on the device will be taken automatically.</P> Thu, 04 Sep 2014 11:20:39 GMT https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110847#M23272 strive 2014-09-04T11:20:39Z https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110848#M23273 <P>i have reason to suspect, that the guy indexing files specified the host when doing "add monitor" on the command line.</P> Thu, 04 Sep 2014 11:32:46 GMT https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110848#M23273 dominiquevocat 2014-09-04T11:32:46Z https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110849#M23274 <P>Ok. In any case, the above search in my comment should work. are you seeing any issues with the search?</P> Thu, 04 Sep 2014 11:42:42 GMT https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110849#M23274 strive 2014-09-04T11:42:42Z https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110850#M23275 <P>Hi dominiquevocat,</P> <P>because it is fun to play around in Splunk and always look for other ways to get the results, try this:</P> <PRE><CODE> index=_internal ( source=*license_usage.log type!=*Summary ) OR ( source=*metrics.log group=tcpin_connections fwdType=uf ) | streamstats last(sourceIp) AS last_ip last(hostname) AS last_hostname | where h=last_hostname | stats values(last_ip) AS IP values(st) AS sourcetype values(s) AS source by h | rename h AS Host </CODE></PRE> <P>This will give you a nice table view of each Hosts Name, IP used, sourcetype used and sources used.</P> <P>hope this helps ...</P> <P>cheers, MuS</P> Thu, 04 Sep 2014 12:40:26 GMT https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110850#M23275 MuS 2014-09-04T12:40:26Z https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110851#M23276 <P>looks nice! perhaps due to the large amount of files on one of the hosts it stops after some 30'000 or so sources...</P> Thu, 04 Sep 2014 14:06:04 GMT https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110851#M23276 dominiquevocat 2014-09-04T14:06:04Z https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110852#M23277 <P>HeHe, try to limit the base search by using snippets of the source name or ip or hostname <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 04 Sep 2014 14:07:52 GMT https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110852#M23277 MuS 2014-09-04T14:07:52Z https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110853#M23278 <P>nope, because the value in "host" is the wrong one (overridden value) and i need to ip or hostname of the forwarder where this came from.</P> Mon, 08 Sep 2014 11:56:22 GMT https://community.splunk.com/t5/Getting-Data-In/list-host-source-by-forwarder/m-p/110853#M23278 dominiquevocat 2014-09-08T11:56:22Z