https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413118#M73078 <P>It doesn't all have to be in one folder. Just have the HF name somewhere in the path. For example, say currently you have:<BR /> /opt/logs/typeA/foo.log<BR /> /opt/logs/typeB/bar.log</P> <P>Just create something like /opt/hf.dmz.com/logs/ as a symbolic link to /opt/logs/ and update splunk inputs accordingly. Which results in source values like:</P> <P>/opt/hf.dmz.com/logs/typeA/foo.log<BR /> /opt/hf.dmz.com/logs/typeB/bar.log</P> Tue, 22 Jan 2019 15:07:06 GMT FrankVl 2019-01-22T15:07:06Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413107#M73067 <P>We have a DMZ heavy forwarder (HF) that sends logs from the devices on the DMZ environment to our Splunk server. I need to know the name of the devices that are sending the data through the HF. </P> <P>How can I get that information? </P> Fri, 18 Jan 2019 11:19:55 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413107#M73067 kcooper 2019-01-18T11:19:55Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413108#M73068 <P>HI,</P> <P>try this query : <CODE>index=_internal sourcetype=splunkd host=&lt;heavyforwardername&gt; group=per_host_thruput | stats values(series)</CODE></P> Fri, 18 Jan 2019 11:25:24 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413108#M73068 dkeck 2019-01-18T11:25:24Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413109#M73069 <P>Your title and question are confusing. What do you want to find out? The name of the HF that was involved in processing a certain event, or the name of the original source host from which the event originated?</P> <P>What kind of data feed are we talking about here? How are they sending through the HF? What kind of Splunk input is used? In case you're interested in the original source host: what does the data look like, does that contain the original host name?</P> Mon, 21 Jan 2019 10:42:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413109#M73069 FrankVl 2019-01-21T10:42:05Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413110#M73070 <P>Please accept the answer if it helped you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> thank you</P> Tue, 22 Jan 2019 06:38:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413110#M73070 dkeck 2019-01-22T06:38:12Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413111#M73071 <P>Thank you. This worked great. </P> Tue, 22 Jan 2019 13:14:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413111#M73071 kcooper 2019-01-22T13:14:39Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413112#M73072 <P>Then please hit accept to award points <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> thank you</P> Tue, 22 Jan 2019 13:17:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413112#M73072 dkeck 2019-01-22T13:17:14Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413113#M73073 <P>I highly doubt that works great, since the per_x_thruput metrics logs are incomplete. As the docs specify:</P> <PRE><CODE>Note: The per_x_thruput categories are not complete. Remember that by default metrics.log shows the 10 busiest of each type, for each sampling window. If you have 2000 active forwarders, you cannot expect to see the majority of them in this data. You can adjust the sampling quantity, but this will increase the chattiness of metrics.log and the resulting indexing load and _internal index size. The sampling quantity is adjustable in limits.conf, [metrics] maxseries = num. </CODE></PRE> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.2.3/Troubleshooting/Aboutmetricslog" target="_blank">https://docs.splunk.com/Documentation/Splunk/7.2.3/Troubleshooting/Aboutmetricslog</A></P> Tue, 29 Sep 2020 22:51:59 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413113#M73073 FrankVl 2020-09-29T22:51:59Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413114#M73074 <P>What would you suggest then?</P> Tue, 22 Jan 2019 14:06:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413114#M73074 dkeck 2019-01-22T14:06:30Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413115#M73075 <P>I have skimmed the list of devices that was returned and it looks good but I am not sure at this time if all the devices are listed.</P> <P>What would you suggest? </P> Tue, 22 Jan 2019 14:25:59 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413115#M73075 kcooper 2019-01-22T14:25:59Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413116#M73076 <P>As I mentioned in my original comment to your question: that highly depends on how the data is coming in.</P> <P>One thing you can do to allow filtering for data coming through a certain HF using file monitor inputs is to put the log files that splunk reads in a folder that is named after the HF's hostname. That way, the HF's name shows up in the source field.</P> <P>Another solution is to add a custom meta data field, to explicitly label each event with the HF it passed through.</P> Tue, 22 Jan 2019 14:37:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413116#M73076 FrankVl 2019-01-22T14:37:58Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413117#M73077 <P>we can't have the all the log files in one. they are all different devices. <BR /> I will look into adding a custom meta data field - that is a good idea <BR /> thx</P> Tue, 22 Jan 2019 14:41:38 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413117#M73077 kcooper 2019-01-22T14:41:38Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413118#M73078 <P>It doesn't all have to be in one folder. Just have the HF name somewhere in the path. For example, say currently you have:<BR /> /opt/logs/typeA/foo.log<BR /> /opt/logs/typeB/bar.log</P> <P>Just create something like /opt/hf.dmz.com/logs/ as a symbolic link to /opt/logs/ and update splunk inputs accordingly. Which results in source values like:</P> <P>/opt/hf.dmz.com/logs/typeA/foo.log<BR /> /opt/hf.dmz.com/logs/typeB/bar.log</P> Tue, 22 Jan 2019 15:07:06 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-find-out-what-heavy-forwarder-a-device-is-sending-logs/m-p/413118#M73078 FrankVl 2019-01-22T15:07:06Z