https://community.splunk.com/t5/Splunk-Search/How-to-identify-a-raw-events-splunk-instance-origin/m-p/86604#M22082 <P>Well, it seems that you can't indentify the source splunk instance.</P> Mon, 15 Oct 2012 22:52:56 GMT Lucas_K 2012-10-15T22:52:56Z https://community.splunk.com/t5/Splunk-Search/How-to-identify-a-raw-events-splunk-instance-origin/m-p/86603#M22081 <P>Does anyone know how to identify the splunk instance from which a raw event was forwarded?<BR /> Note: this could either be a heavy or a universal forwarder.</P> <P>I might have expected to see a field that had this information but I can't see to find it.</P> <P>I am looking to prove where specific already indexed messages came from.</P> <P>The issue I have is that I believe a second forwarder instance was accidentally started on the same machine and it that forwarded the same events to the same index. We converted from a heavy to a universal but the heavy was restarted during an OS reboot (forgot to run the boot-start command i expect).</P> <P>A "| dedup _raw" fixes it for future searches but I am just interested in how I could specifically identify the source. Ideally so I can filter these results with a |delete also <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>Thanks.</P> Thu, 11 Oct 2012 05:32:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-identify-a-raw-events-splunk-instance-origin/m-p/86603#M22081 Lucas_K 2012-10-11T05:32:57Z https://community.splunk.com/t5/Splunk-Search/How-to-identify-a-raw-events-splunk-instance-origin/m-p/86604#M22082 <P>Well, it seems that you can't indentify the source splunk instance.</P> Mon, 15 Oct 2012 22:52:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-identify-a-raw-events-splunk-instance-origin/m-p/86604#M22082 Lucas_K 2012-10-15T22:52:56Z