Getting Data In

How can I locate the actual source of events?

zindain24
Path Finder

I have a sourcetype that has a non-descriptive host and a source defined (both appear to have been overwritten by stanzas in inputs.conf).

Was wondering how I could track this back to the originating system so I can change the configuration. Right now I have no idea where the events are coming from. They are definitely coming from a universal or heavy forwarder.

Thanks

0 Karma

bandit
Motivator

I would recommend including the sourcetype in your question. For example, if Splunk is monitoring a syslog feed, it will override the forwarder host name with the host name written in the log records.

If you are using deployment server, you should be able to find rules for monitoring your sourcetype under an app in SPLUNK_HOME/etc/deployment-apps on your deployment server. Then use the application name found under deployment-apps and reference against serverclass.conf to see where your monitoring rules are targeted to.

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...