Deployment Architecture

Is there a way to ID the info being sent to one indexer from multiple forwarders in separate environment?

tpward123
Loves-to-Learn Lots

(Novice) Is there a way to identify uniquely the information that is being sent to a single indexer from multiple forwarders in separate environments?  Each environment is a mirror of the other.  They all have the same IPs and hostnames; including the forwarders.
Maybe there is a tag the forwarder can apply or something that makes them unique?

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

No. There is no "channel-level" metadata that you could leverage. So if all your forwarders are undistinguishable from one another there's no telling where the event came from.

0 Karma

tpward123
Loves-to-Learn Lots

Thanks Rick.
I've been searching the Solutions archive
Is there a _meta value that I can set to reflect that environment is sending?

Env1::Site1
Env1::Site2
....

Env2:Site1
Env2:Site2

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You can do that (and that's exactly what I use in one of my environments).

If you can adjust your forwarder configuration, that's probably the way to go if you want to have a 100% sure method of differentiating betwen various sites.

There is no default field you can set (unless you use the host field but be aware that some sourcetypes can overwrite this field during indexing) so you have to set your own indexed field. And remember to configure it properly on the search-heads as well.

EDIT: and try to think of a field name that's highly unlikely to appear in your events so that your fields do not clash.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...