https://community.splunk.com/t5/Getting-Data-In/Help-locating-what-forwarder-data-is-coming-from/m-p/170185#M34381 <P>I know what server it's coming from I'm trying to find out if it's some default data from the universal forwarder, from the windows infrastructure app, or from the VMware app we have loaded.</P> <P>I dont think it's the vmware app because it splits their sourcetypes into vmware:something...</P> <P>So I think it's either the default or the infrastrcture app.</P> <P>I have suspicions it's the default forwarder actions, but if that's the case why wouldnt every server i have the forwarder on send perfmon data, unless it's because these 2 are my DCs.</P> <P>In any event Im more interested in blocking it.</P> Tue, 05 Aug 2014 13:57:51 GMT jbleich 2014-08-05T13:57:51Z https://community.splunk.com/t5/Getting-Data-In/Help-locating-what-forwarder-data-is-coming-from/m-p/170181#M34377 <P>I'm a new splunk user, so be kind <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>I have about 80% of my daily volume coming in what i believe to be un-needed informaton. I cant tell where the data is coming from, all i know is index=main and sourcetype=Perfmon:process</P> <P>Now i thought it was the universal forwarders on my DC's, I have 2 of them and pushed out the app via the deployment server and i changed the .conf file to disable Perfmon:process, but apparently that wasnt it...it must be coming from somewhere else.</P> <P>Any help would be appreciated.</P> Mon, 04 Aug 2014 20:58:53 GMT https://community.splunk.com/t5/Getting-Data-In/Help-locating-what-forwarder-data-is-coming-from/m-p/170181#M34377 jbleich 2014-08-04T20:58:53Z https://community.splunk.com/t5/Getting-Data-In/Help-locating-what-forwarder-data-is-coming-from/m-p/170182#M34378 <P>There should be a field host which should tell you from which server its coming from.</P> Mon, 04 Aug 2014 21:02:06 GMT https://community.splunk.com/t5/Getting-Data-In/Help-locating-what-forwarder-data-is-coming-from/m-p/170182#M34378 somesoni2 2014-08-04T21:02:06Z https://community.splunk.com/t5/Getting-Data-In/Help-locating-what-forwarder-data-is-coming-from/m-p/170183#M34379 <P>somesoni2 has already pointed what you need to check.</P> <P>index=main | dedup host | table host</P> Tue, 05 Aug 2014 02:06:31 GMT https://community.splunk.com/t5/Getting-Data-In/Help-locating-what-forwarder-data-is-coming-from/m-p/170183#M34379 strive 2014-08-05T02:06:31Z https://community.splunk.com/t5/Getting-Data-In/Help-locating-what-forwarder-data-is-coming-from/m-p/170184#M34380 <P>Hello,<BR /> below is the fastest way to get the time and host which is responsible for the data.</P> <P>|metadata type=hosts index=*</P> <P>It shows you the first and latest received event time and number of events. So try this.</P> <P>Thanks,<BR /> L</P> Tue, 05 Aug 2014 04:20:09 GMT https://community.splunk.com/t5/Getting-Data-In/Help-locating-what-forwarder-data-is-coming-from/m-p/170184#M34380 linu1988 2014-08-05T04:20:09Z https://community.splunk.com/t5/Getting-Data-In/Help-locating-what-forwarder-data-is-coming-from/m-p/170185#M34381 <P>I know what server it's coming from I'm trying to find out if it's some default data from the universal forwarder, from the windows infrastructure app, or from the VMware app we have loaded.</P> <P>I dont think it's the vmware app because it splits their sourcetypes into vmware:something...</P> <P>So I think it's either the default or the infrastrcture app.</P> <P>I have suspicions it's the default forwarder actions, but if that's the case why wouldnt every server i have the forwarder on send perfmon data, unless it's because these 2 are my DCs.</P> <P>In any event Im more interested in blocking it.</P> Tue, 05 Aug 2014 13:57:51 GMT https://community.splunk.com/t5/Getting-Data-In/Help-locating-what-forwarder-data-is-coming-from/m-p/170185#M34381 jbleich 2014-08-05T13:57:51Z