https://community.splunk.com/t5/Splunk-Search/Understand-which-HF-send-data-to-whic-index/m-p/691553#M235464 <P>Hi Splunkers, currently we are managing an Enterprise Splunk environment previously managed by another company. As sadly often occurs, no documentation has been released and so we had to discover almost information about architecture by ourselves. We successfully managed many tasks related to this big problem, but few ones remain; in particular, the one for what I open this discussion.</P><P>The point is this: almost total ingested data are collected flowing to a couple of HF. This means that data flow is, typically:</P><P>Log sources -&gt; On prem HF -&gt; Cloud HF (on IaaS VM) -&gt; Cloud Indexer (on IaaS VM).</P><P>With a search discovered here on community, based on internal logs, I found how to understand what Splunk component send data to another Splunk one. I mean: suppose I have</P><P>HF on prem 1 -&gt; Hf on cloud 2</P><P>I know how to discover this analyzing the internal logs. But what about if I want to discover which HF on prem collect data sent to a specific index? Let me do an example. Suppose I have this host set:</P><P>Log sources (with NO UF installed on them)</P><P>Log source 1<BR />Log source 2<BR />Log source 3</P><P>On prem HF</P><P>HF on prem 1<BR />HF on prem 2<BR />HF on prem 3</P><P>On cloud HF (IaaS VM)</P><P>HF on Cloud 1</P><P>On cloud indexer</P><P>Indexer on cloud 1 (IaaS VM)</P><P>Indexes</P><P>index1<BR />index2<BR />index3</P><P>At starting point, I know only that all 3 On prem HF collect data and send them to HF on Cloud: then, data are sent to the Indexer. I don’t know which On prem HF collect data from which Log source, and in which index data are collected once they arrive on indexer; for sure, I could ask to system owner what configuration has been performed on log sources, but the idea is to discover this with a Splunk Search. Is this possible?</P><P>The idea is to have a search where I can specify the exact flow. For example, suppose that 1 of the above flow is:<BR /><BR />Log source 1 -&gt; On Prem HF 2 -&gt; On Cloud HF -&gt; On Cloud Indexer -&gt; index3</P><P>I must be able to discover it.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 25 Jun 2024 12:13:25 GMT SplunkExplorer 2024-06-25T12:13:25Z https://community.splunk.com/t5/Splunk-Search/Understand-which-HF-send-data-to-whic-index/m-p/691553#M235464 <P>Hi Splunkers, currently we are managing an Enterprise Splunk environment previously managed by another company. As sadly often occurs, no documentation has been released and so we had to discover almost information about architecture by ourselves. We successfully managed many tasks related to this big problem, but few ones remain; in particular, the one for what I open this discussion.</P><P>The point is this: almost total ingested data are collected flowing to a couple of HF. This means that data flow is, typically:</P><P>Log sources -&gt; On prem HF -&gt; Cloud HF (on IaaS VM) -&gt; Cloud Indexer (on IaaS VM).</P><P>With a search discovered here on community, based on internal logs, I found how to understand what Splunk component send data to another Splunk one. I mean: suppose I have</P><P>HF on prem 1 -&gt; Hf on cloud 2</P><P>I know how to discover this analyzing the internal logs. But what about if I want to discover which HF on prem collect data sent to a specific index? Let me do an example. Suppose I have this host set:</P><P>Log sources (with NO UF installed on them)</P><P>Log source 1<BR />Log source 2<BR />Log source 3</P><P>On prem HF</P><P>HF on prem 1<BR />HF on prem 2<BR />HF on prem 3</P><P>On cloud HF (IaaS VM)</P><P>HF on Cloud 1</P><P>On cloud indexer</P><P>Indexer on cloud 1 (IaaS VM)</P><P>Indexes</P><P>index1<BR />index2<BR />index3</P><P>At starting point, I know only that all 3 On prem HF collect data and send them to HF on Cloud: then, data are sent to the Indexer. I don’t know which On prem HF collect data from which Log source, and in which index data are collected once they arrive on indexer; for sure, I could ask to system owner what configuration has been performed on log sources, but the idea is to discover this with a Splunk Search. Is this possible?</P><P>The idea is to have a search where I can specify the exact flow. For example, suppose that 1 of the above flow is:<BR /><BR />Log source 1 -&gt; On Prem HF 2 -&gt; On Cloud HF -&gt; On Cloud Indexer -&gt; index3</P><P>I must be able to discover it.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 25 Jun 2024 12:13:25 GMT https://community.splunk.com/t5/Splunk-Search/Understand-which-HF-send-data-to-whic-index/m-p/691553#M235464 SplunkExplorer 2024-06-25T12:13:25Z https://community.splunk.com/t5/Splunk-Search/Understand-which-HF-send-data-to-whic-index/m-p/691605#M235481 <P>HFs process data transparently so there's no way to track the flow of events.&nbsp; Many customers work around that by having the HF add a field to every event where the value of the field is the HF's name.</P> Tue, 25 Jun 2024 19:06:26 GMT https://community.splunk.com/t5/Splunk-Search/Understand-which-HF-send-data-to-whic-index/m-p/691605#M235481 richgalloway 2024-06-25T19:06:26Z