Hi all
I'm trying to deal with an issue where hostnames are not unique but are forwarding to the same Splunk indexer.
I know every Splunk instance should have a unique GUID. Is there a way of finding the GUID of the Splunk instance that generated an event?
Thanks
Jim
I'm fairly certain the forwarder's GUID isn't stored for an event.
If you're flexible about your configuration and not worried about mild performance impacts you could however create your own GUID storage.
Here's a rough draft:
That should be transparent to your existing reports/alerts.
We're using a mix. I know to use transforms like this we'll need to replace the universals with heavies but that's not a major hurdle.
Are you using universal or heavy forwarders?
Thanks! I'd just started reading up on indexed fields. The performance hit warning is a concern but certainly a good place to start and we can test the impact.
What I was also thinking, instead of changing hostnames which can't happen here for various reasons, is something like this in transforms.conf...
[] <--- empty
REGEX = .*
FORMAT = guid::"
WRITE_META = true
The ID here would be hardcoded into the conf file rather than using $1 from a regex match. Does that sound like a sensible option? Thanks again.