I'm fairly certain the forwarder's GUID isn't stored for an event.
If you're flexible about your configuration and not worried about mild performance impacts you could however create your own GUID storage.
Here's a rough draft:
That should be transparent to your existing reports/alerts.
Thanks! I'd just started reading up on indexed fields. The performance hit warning is a concern but certainly a good place to start and we can test the impact.
What I was also thinking, instead of changing hostnames which can't happen here for various reasons, is something like this in transforms.conf...
 <--- empty
REGEX = .*
FORMAT = guid::"
WRITE_META = true
The ID here would be hardcoded into the conf file rather than using $1 from a regex match. Does that sound like a sensible option? Thanks again.
We're using a mix. I know to use transforms like this we'll need to replace the universals with heavies but that's not a major hurdle.